From owner-freebsd-security@freebsd.org  Mon Sep 20 19:21:21 2021
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B21276ABF9F
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Mon, 20 Sep 2021 19:21:21 +0000 (UTC) (envelope-from mat@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4HCvYY4fs8z4p3j;
 Mon, 20 Sep 2021 19:21:21 +0000 (UTC) (envelope-from mat@freebsd.org)
Received: from mail.j.mat.cc (owncloud.cube.mat.cc [IPv6:2a01:678:4:1::228])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.mat.cc", Issuer "R3" (verified OK))
 (Authenticated sender: mat/mail)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 6C18D22E89;
 Mon, 20 Sep 2021 19:21:21 +0000 (UTC) (envelope-from mat@freebsd.org)
Received: from aching.in.mat.cc (unknown
 [IPv6:2a01:678:42:0:ffc2:a9e4:d09f:c077])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 (Authenticated sender: mat@mat.cc)
 by mail.j.mat.cc (Postfix) with ESMTPSA id AD2C3942D81;
 Mon, 20 Sep 2021 19:21:18 +0000 (UTC)
Date: Mon, 20 Sep 2021 21:21:17 +0200
From: Mathieu Arnold <mat@freebsd.org>
To: Eugene Grosbein <eugen@grosbein.net>
Cc: Ed Maste <emaste@freebsd.org>, freebsd-security@freebsd.org
Subject: Re: Important note for future FreeBSD base system OpenSSH update
Message-ID: <20210920192117.ylaewdyxcjtl6rsb@aching.in.mat.cc>
References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com>
 <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU+RvcR=2L9YxA@mail.gmail.com>
 <CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw@mail.gmail.com>
 <e17ea9da-4a3b-a21f-2107-8b94e094974d@grosbein.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="c6o5srltse6xawnc"
Content-Disposition: inline
In-Reply-To: <e17ea9da-4a3b-a21f-2107-8b94e094974d@grosbein.net>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Sep 2021 19:21:21 -0000


--c6o5srltse6xawnc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote:
> 10.09.2021 1:01, Ed Maste wrote:
>=20
> > To check whether a server is using the weak ssh-rsa public key
> > algorithm, for host authentication, try to connect to it after
> > removing the ssh-rsa algorithm from ssh(1)'s allowed list:
> >=20
> >     ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host
> >=20
> > If the host key verification fails and no other supported host key
> > types are available, the server software on that host should be
> > upgraded.
>=20
> I have some telco equipment (E1/SS7) based on custom Linux distro built b=
y a vendor:
>=20
> $ ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host
> Unable to negotiate with X.X.X.X port 22: no matching host key type found=
=2E Their offer: ssh-rsa
>=20
> I've already asked the vendor for possible upgrade and was told that no u=
pgrade will be available.
>=20
> Will I be able to use ssh_config and following command to re-enable the f=
eature after planned import?
>=20
> HostKeyAlgorithms ssh-rsa

Same here, I have many telco and even switches and routers that only
support ssh-rsa, will it be possible to use a ssh_config knob to enable
it back?

--=20
Mathieu Arnold

--c6o5srltse6xawnc
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEVhwchfRfuV0unqO5KesJApEdfgIFAmFI3yhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDU2
MUMxQzg1RjQ1RkI5NUQyRTlFQTNCOTI5RUIwOTAyOTExRDdFMDIACgkQKesJApEd
fgKARg/9GwxP+aPnLsUo+ZjxRfKIaUmvUs0phVPSlOsfeIc7IADR6c/2pKufPxX1
Y6i8sFQXJAVf3+cqm0cwlBxonVZ63/rSzFT2l9rfB6xp5EIhe50yLhxJeEt7Vl3z
ENGqki0IYOR21ziohja2rr9xz2nzlkZm27rUdkysODoqHkW0OESqMOMFl/lkdc/k
uVAj1d1rac34yATtRgE0JSFFnlCJ+PeYotw5w5bh3TcvNsTy7Lhv1EP9S6AcE7S3
5Wa6/hooF++8TwJP6DyaV29l1mB1WBcVceELiUez+4/LyBNflTifY4pZv8E3F/TE
Ua9l3wZMeFF0LCqWz0ZU7mNjjcP5bHIBbD43JZpUKqM1ndM0lpufO4K3DOqBr4P3
5BFii+H6r4sbH+mkUc1tIdWYFOYzAt2xicnYs+0AyBz40c1ewTsusB8rs73l3z0r
E7qgHWKN7ivZAWvotGn1Rnc9sbfSCesYJU9XtOb3MouTfqNvF1eNPF2B8Jh/hsar
6ckyyqDJeW2YdV5IT1TNGLW0dLTboPI4w2mZBJ1P8P+W4ixSuCaCDHBtmSaeAx4M
AQZAMOH6JkgRbwFR+HS4G0Sgx93f+7eAQRsloHQ45eTD6lu75pzT+zSJ5cN07lfZ
FAkBzMfuTkfQOSKv2HRPH+eQUBpVPJDbb1TeG417uB/dX9ZYqFo=
=4aHI
-----END PGP SIGNATURE-----

--c6o5srltse6xawnc--