From owner-freebsd-security@freebsd.org  Wed Feb  1 22:30:46 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9FA23CCC803
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed,  1 Feb 2017 22:30:46 +0000 (UTC)
 (envelope-from brett@lariat.org)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id 60DA9172E
 for <freebsd-security@freebsd.org>; Wed,  1 Feb 2017 22:30:45 +0000 (UTC)
 (envelope-from brett@lariat.org)
Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id OAA15630;
 Wed, 1 Feb 2017 14:38:22 -0700 (MST)
Message-Id: <201702012138.OAA15630@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 01 Feb 2017 14:37:41 -0700
To: Piotr Kubaj <pkubaj@anongoth.pl>, freebsd-security@freebsd.org
From: Brett Glass <brett@lariat.org>
Subject: Re: fbsd11 & sshv1
In-Reply-To: <20170201121121.GA75931@chujemuje>
References: <mailman.41.1485950400.51630.freebsd-security@freebsd.org>
 <20170201121121.GA75931@chujemuje>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 22:30:46 -0000

At 05:11 AM 2/1/2017, Piotr Kubaj via freebsd-security wrote:

>We shouldn't forbid people to shoot themselves in their heads. If 
>someone needs it, they should get, especially since it won't 
>require much maintainance.
>Just repocopy the port and mark as deprecated and vulnerable next 
>time there's a CVE in OpenSSH.

Perhaps it would be best if the SSHv1 code were encapsulated in a 
library which could be used to access perfectly good equipment for 
which new software/firmware is not being developed. This would keep 
the code, whatever its quality, out of the main SSH codebase but 
still make it possible to access vital gear as needed.

My company has equipment that would cost more than we could afford 
to replace that runs only SSHv1, and is well protected from attacks 
by other means (such as firewalls and VPNs). It's perfectly safe to 
use SSHv1 with it, and a darned sight safer than devolving to 
Telnet. Just as it's useful to have a way of accessing devices that 
use SSLv3 (we maintain browsers specifically for that purpose), it 
pays to have a way to get at an embedded device that will never 
support versions of SSH beyond v1.

--Brett Glass