From nobody Wed Apr 9 17:34:22 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZXqnq1SzMz5s6Xp for ; Wed, 09 Apr 2025 17:34:39 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZXqnn45Dbz3J4m for ; Wed, 09 Apr 2025 17:34:37 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.46 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com Received: by mail-io1-f46.google.com with SMTP id ca18e2360f4ac-854a68f5a9cso566605939f.0 for ; Wed, 09 Apr 2025 10:34:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744220074; x=1744824874; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Nx/EG7c3my9hMl5Jurv/LjpYJQrmF4Xn8zBPdMUkVfk=; b=tFFtaMH06xuCY888J5IVR7ReCavf05MTgw4YeQjegozLey9CRlonXAVlUINxTsrNaj cgaBWex3iQIqan3xJIZNIpBj4odEN2xmXDbJtGdKrj8GBkNRsSMMHtmhAi1/hgZvfALM b9GrLwuSeE8BEgxPTE8rhanVONuJ7pvMxtHuIsHwFbcqH/1MHlDrQXkwEd5gIKGOoxKD b1J3UK0ntEXHgn1cCLqjPzeQbCh3of0bRWw0e4FkQHbz55geKQDmMWGQm0Xy0mnAOJG/ uC4E3yoi79OiddjCqzbod2WlZcWFZP+rOgMaBbPspEJjSaUqupN8dlNiHwA01sIICA91 pnng== X-Gm-Message-State: AOJu0YwmlS5cGutUlZuZAISRzEpto6GD7HkcuV9cU/EuMRN8nX3QShsk rowEWlN5EnaGRSi/ZMpnVOEQlE0iGxikrD2HyH6qA727lJCIQjUrWkcqWY/JZPJ/Xeir+2F53Kp pDS88uDUVcWJzi7nHbHlWJNURMFpJiTIQ X-Gm-Gg: ASbGnctPDORp3UvIbaXRy3Sw13FV+ny0ysFaFUX21aUJ+yIMFDrbFEsP8EkRqR+b1Sh tQinW/CtHeWBvnncxuLsyE6TIbIGZ6BOqKx7o6PgyNhu6NKR17DuTQEBCJcKuJRi2kdsrcBJerD 6nyETlbAf4fAysmiOCdFBnWXNm8/1A7XzH X-Google-Smtp-Source: AGHT+IEhwNwx2k8WPQZRVbzKerjzL/JRST6Hr2jWKTOCQyACDG+mrYstIUEYNcnCA6McCF/NIZEbzstRpnaIydE3sAg= X-Received: by 2002:a05:6602:c8b:b0:85c:5521:cbfe with SMTP id ca18e2360f4ac-861611d0af3mr495711839f.8.1744220073913; Wed, 09 Apr 2025 10:34:33 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> In-Reply-To: From: Ed Maste Date: Wed, 9 Apr 2025 13:34:22 -0400 X-Gm-Features: ATxdqUE-uFfNRMIPCVzPCjb5e6Aek3Sd9XWTFuOZkezYj7JXUWWGtSPEvoN1K7I Message-ID: Subject: Re: Heads-up: DSA key support being removed from OpenSSH To: Christian Weisgerber Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [1.54 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(0.99)[0.993]; NEURAL_HAM_SHORT(-0.55)[-0.548]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[carpeddiem]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.46:from]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.46:from]; R_DKIM_NA(0.00)[]; MISSING_XM_UA(0.00)[]; RBL_SENDERSCORE_REPUT_8(0.00)[209.85.166.46:from]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZXqnn45Dbz3J4m X-Spamd-Bar: + On Tue, 1 Apr 2025 at 20:40, Christian Weisgerber wrote: > > Christian Weisgerber: > > > If OpenSSH upstream stick to the published schedule, version 9.9 > > that is now in 13-STABLE/14-STABLE/15-CURRENT will be the _final_ > > release that even includes the DSA code. > > Subject: Call for testing: OpenSSH 10.0 > [...] > Potentially-incompatible changes > -------------------------------- > > * This release removes support for the weak DSA signature > algorithm, completing the deprecation process that began in > 2015 (when DSA was disabled by default) and repeatedly warned > over the the last 12 months. > [...] > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041855.html I'm preparing to import OpenSSH 10.0 into the FreeBSD base system, and intend to merge the DSA removal separately in advance. Two reviews are open for this: - https://reviews.freebsd.org/D49739 - https://reviews.freebsd.org/D49740 (rc.d/sshd update from jlduran) From nobody Thu Apr 10 16:41:17 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYQZ4744fz5t8XF for ; Thu, 10 Apr 2025 16:41:32 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYQZ34HNjz41hl for ; Thu, 10 Apr 2025 16:41:31 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.178 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com Received: by mail-il1-f178.google.com with SMTP id e9e14a558f8ab-3cf82bd380bso7433025ab.0 for ; Thu, 10 Apr 2025 09:41:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744303289; x=1744908089; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=s0l/sUSgord6CJJXVkrmUjQaE7llB6L0VBcqm7NU7rQ=; b=Y/GLo+9eGl3RI12CmBm9SsZbTLnOxhfOSbc0xyoOenQT6shIxQoSQuqI1J0JYPGs3h 7Obg2tHv4y5clrxNWlLzy3T+uLnNfnCkF8wAciIKvHBGpSiM887hFHKDCe/7VlAYsTaz AX4TTNEcCWJiE2ET4HjG5sy4nTDYY5t1rH6PNc+AVAF0/MGgmNuRylED3/f+4aHA/Z2n 4lB/Uce2JNaq67XgKALpbBUujUwcPp4nJ7cvGf9mOOmObXnmfTbZ1DfySyvdJsVvHgDR G5dSvFZ1INrf+IKSdWipsJnrq9iWXPvin2YdLOkj/qQ/Dray8ZZOfIvJhd6KZljaQHJs rJAA== X-Gm-Message-State: AOJu0YzW6O5DUTQioAargPUf9QzZmWgu9T7w9OMLxW6/xA/xfPhZjfx+ 29t5TGdfSDzZzmUcmPP2P6B10moqA7mzVNYYP92iMvokP6T2ovH+0VL2lYxdbLoWZu3yKqPVjuu bFdmd/oXMgakJ6zBP3MU0rNE/pXQexA== X-Gm-Gg: ASbGncuLL7Ig6vLIUKq2oYXbjsOVG/GSQw8DpSnLpFuxxgfcKW8Yc12ihopDwe8bvmO 8ql8oVv8laA9T7oiNNsSoo2o0fGifveR3fiP9udf05xlQNSJUxqJIr+pejIgFcPspJg40aaBrye eIULm/Q+feJskwny1kEwHgN7o3NNor87V4eBD95fY2h4fQ1mCOKVg2dx1dNxXrQHgR/FU= X-Google-Smtp-Source: AGHT+IFXukk8LsGrlqNrK4GJDLylGb3ycNPDxEKoEMIrdiJUmxftaGuxnwUHBUa1AUeoKtzVzY8MYnQYN6mbu8uMyzY= X-Received: by 2002:a05:6e02:3:b0:3d4:3fed:81f7 with SMTP id e9e14a558f8ab-3d7e4782225mr42031805ab.19.1744303289239; Thu, 10 Apr 2025 09:41:29 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> In-Reply-To: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> From: Ed Maste Date: Thu, 10 Apr 2025 12:41:17 -0400 X-Gm-Features: ATxdqUEkK9k7Tm7qxnUkc0cgxQO9vt6Wqt1aCXifZ8X-SX_qEResTd7hVwHmsOo Message-ID: Subject: Re: Heads-up: DSA key support being removed from OpenSSH To: Jan Bramkamp Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [1.11 / 15.00]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_SPAM_LONG(0.98)[0.983]; NEURAL_HAM_SHORT(-0.97)[-0.970]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[carpeddiem]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.178:from]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.178:from]; R_DKIM_NA(0.00)[]; MISSING_XM_UA(0.00)[]; RBL_SENDERSCORE_REPUT_8(0.00)[209.85.166.178:from]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZYQZ34HNjz41hl X-Spamd-Bar: + On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp wrote: > > As long as it's "only" a compile-time option away for FreeBSD to enable > this flawed cipher I would like to have it compiled in by default so it > doesn't require installing SSH from ports to connect to some stupid old > router/switch/UPS/whatever over SSH. As long as it won't negotiate that > cipher with the default configuration that's safe enough for my needs. > > TL;DR: Please keep it enabled it at compile-time, but configured > disabled. FreeBSD shouldn't require recompiling the base system to > connect to older embedded devices. It's a compile-time option in 9.9 and earlier. As of 10.0 the configure infrastructure has been removed but the source hasn't yet been deleted. I expect that will happen soon though. We'll keep DSA available, at least in stable branches, as long as it's reasonably convenient and safe to do so, but won't patch it back in once the source is removed. From nobody Thu Apr 10 22:24:49 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYZBS25wyz5rvV5 for ; Thu, 10 Apr 2025 22:25:04 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYZBR6hD8z47sD; Thu, 10 Apr 2025 22:25:03 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; none Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id A3DD3A64805; Thu, 10 Apr 2025 22:24:51 +0000 (UTC) Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 7FBF72D029E0; Thu, 10 Apr 2025 22:24:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id PZAalIj42z9S; Thu, 10 Apr 2025 22:24:50 +0000 (UTC) Received: from strong-rtwn0.sbone.de (strong-rtwn0.sbone.de [IPv6:fde9:577b:c1a9:4902:3e64:cfff:fe55:bc80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 3A9432D029D8; Thu, 10 Apr 2025 22:24:50 +0000 (UTC) Date: Thu, 10 Apr 2025 22:24:49 +0000 (UTC) From: "Bjoern A. Zeeb" To: Ed Maste cc: freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH In-Reply-To: Message-ID: References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE] X-Rspamd-Queue-Id: 4ZYZBR6hD8z47sD X-Spamd-Bar: ---- On Thu, 10 Apr 2025, Ed Maste wrote: > On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp wrote: >> >> As long as it's "only" a compile-time option away for FreeBSD to enable >> this flawed cipher I would like to have it compiled in by default so it >> doesn't require installing SSH from ports to connect to some stupid old >> router/switch/UPS/whatever over SSH. As long as it won't negotiate that >> cipher with the default configuration that's safe enough for my needs. >> >> TL;DR: Please keep it enabled it at compile-time, but configured >> disabled. FreeBSD shouldn't require recompiling the base system to >> connect to older embedded devices. > > It's a compile-time option in 9.9 and earlier. As of 10.0 the > configure infrastructure has been removed but the source hasn't yet > been deleted. I expect that will happen soon though. > > We'll keep DSA available, at least in stable branches, as long as it's > reasonably convenient and safe to do so, but won't patch it back in > once the source is removed. Is there any chance to keep an openssh (client) port (possibly with known security risks)? Do we have alternative ssh clients in ports which will keep supporting DSA? I kind-of understand why OpenBSD is doing what they do (and have long announced so) but I also see the real world out there. The amount of network gear which relies on it still is massive. I evaluated GPON SFPs last year some which have no alternative to manage them but enabling ssh-dss. They run ancient Linux 3.x on tiny spaces; once certified run forever. Come back in 20 years. No more DSA, no more management. Lots of old switches out there belong in similar categories and the =+ssh-rsa,ssh-dss configs have grown. Even 11ax access points still fall into that category (though they could be upgraded if someone was to do the software). I think providing a list of alternative clients somewhere for our users who still need it would be very good. A wiki page or something so it can be easily maintained? Not endorsing anything just listing it. Bjoern -- Bjoern A. Zeeb r15:7 From nobody Thu Apr 10 23:21:42 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYbRq3YsWz5s2PB for ; Thu, 10 Apr 2025 23:21:43 +0000 (UTC) (envelope-from pm_bounces@pm-bounces.phinetworksystems.co.uk) Received: from sc-ord-mta117.mtasv.net (sc-ord-mta117.mtasv.net [50.31.156.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYbRq1l1Qz3ZVJ for ; Thu, 10 Apr 2025 23:21:43 +0000 (UTC) (envelope-from pm_bounces@pm-bounces.phinetworksystems.co.uk) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=pm20250324; d=pm.mtasv.net; h=From:Date:Subject:Message-Id:To:Cc:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Date:From:Message-ID:Reply-To:Sender: Subject:To:CC; t=1744327303; x=1744413703; bh=iRXrdetYaK5VzfJJFteUj0pJtQ9xAb+EOiLdGd1ChUk=; b=ddi7GJAa/qN5FOcCJRHtTzojMUMgSJdnNQSHrJGeKiWZ4w7SZOlJP4rhUgPpRksToeyxydPYPLTW aYG9rqfOwu2JNIhmtKCpawNIRR4CMq2EJsEFWbeurExVHFU90toGE1vp1SQnZgELK+xqfdWhk4tC j67IN1nlBfgpteplYwn0LnX0yBFrt6NQjF4AmHDH2QAkp24uyuYqDVzr0w5sHJpoE7GDcNZlmolX 1GQ7urkD9RebEpyEjBXF1YrTRvSw0tkwU64xzZOD2gh+tuGd1svm1UtyBeZCMPwszUX9DdJuQFea hcEJ2p2cN3AdyWEPXVA7Z7eWopi8ntzjOHGRLg== Received: by sc-ord-mta117.mtasv.net id hv198c3864oj for ; Thu, 10 Apr 2025 19:21:42 -0400 (envelope-from ) X-PM-IP: 50.31.156.117 X-IADB-IP: 50.31.156.117 X-IADB-IP-REVERSE: 117.156.31.50 DKIM-Signature: v=1; a=rsa-sha256; d=phinetworksystems.co.uk; s=20240616025402pm; c=relaxed/relaxed; i=mail.lists@phinetworksystems.co.uk; t=1744327302; x=1744500102; h=date:date:from:from:message-id:reply-to:sender:subject:subject:to:to:cc: references:in-reply-to:feedback-id:mime-version:content-type: content-transfer-encoding; bh=iRXrdetYaK5VzfJJFteUj0pJtQ9xAb+EOiLdGd1ChUk=; b=kAcYoiotUqpDGhk81H5mY2UXVbUh4mZH66cGwniTQIltUijw2CHGrdl6989WWKJxAk/qae6f2VV OniqPBVxtmd2LCNHhd3ujCyX7E/GXhS7er6H4pAN0V2WIfL5H19i9Gdlcjuv9Xf5FhJMdMFPdrCHE bSifozTxk2cSMVwqdjU= From: Dr Jim Allen Date: Thu, 10 Apr 2025 23:21:42 +0000 Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-Id: <1a1ceefc-ed0b-4602-b250-2a407dd7dbd1@mtasv.net> To: "Bjoern A. Zeeb" Cc: Ed Maste , freebsd-security@freebsd.org X-Assp-Version: 2.8.1(24261) on percival.phinetworksystems.net X-Assp-ID: percival.phinetworksystems.net id-27300-08872 X-Assp-Session: 2A38F3F96D38 (mail 1) X-Assp-Client-TLS: yes References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Feedback-ID: s13555785-_:s13555785:a334230:postmark X-Complaints-To: abuse@postmarkapp.com X-PM-Message-Id: 1a1ceefc-ed0b-4602-b250-2a407dd7dbd1 X-PM-RCPT: |bTF8MzM0MjMwfDEzNTU1Nzg1fGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmc=| X-PM-Message-Options: v1;1.d6MDnTjlhU7RgwYoCwvSsQ.kEAxEz3paxCFhbf1IRQAqWVhsSvZTaQ5hKDxYJtCK_pzO82TWQbPZtiPVCXJbRoFLLhpTnA_0SAHJvlgnXn9-z1wCV4YNEJ0soy8lvWnUtojx9aJK-25D-recib-9MBxCGVCavLz7WU9N2dpwSmRb4aya-P24ZlIT7MKzqCtWaPlwq_d9l_z2jovq6ogldgo List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 X-PM-MTA-Pool: transactional-1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:23352, ipnet:50.31.128.0/18, country:US] X-Rspamd-Queue-Id: 4ZYbRq1l1Qz3ZVJ X-Spamd-Bar: ---- Two things. = =20 = =20 a) Why remove the build config option? = =20 I know the code is being removed at some point, but until it is, why not = =20 leave it as a option (defaulted off)? = =20 = =20 b) The reasons for not using it are clear. I have gear like that too. = =20 Everyone does. But any of us that do need to speak to that old gear will = =20 just have to install an old version of OpenSSH in order to do so. = =20 It's no different than having to find (keep) an old piece of hardware = =20 that has a real RS232 port on it (because the gear has a weird protocol = =20 that a USB->Serial converter won't speak). = =20 = =20 I have gear that is new and gear that is 20 years old. The hassle of = =20 supporting old gear is one of the drives to renew it. It's life.=3D20 = =20 I don't agree with deprecating something just cause someone doesn't like = =20 it but this is different and if we don't want or need to replace that = =20 old gear then it's really up to us to find a fix. We can't expect the = =20 devs to keep it in for the next 20 years. We want OpenSSH secure. If we = =20 want/need to use an unsecure key method then we should be fine using and = =20 older less secure version. = =20 = =20 Jim :-) On Thu, Apr 10, 2025 at 10:24:49PM +0000, Bjoern A. Zeeb [Re: Heads-up: DSA= key support being removed from OpenSSH] wrote: > On Thu, 10 Apr 2025, Ed Maste wrote: >=20 > > On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp wrote: > > >=20 > > > As long as it's "only" a compile-time option away for FreeBSD to enab= le > > > this flawed cipher I would like to have it compiled in by default so = it > > > doesn't require installing SSH from ports to connect to some stupid o= ld > > > router/switch/UPS/whatever over SSH. As long as it won't negotiate th= at > > > cipher with the default configuration that's safe enough for my needs= . > > >=20 > > It's a compile-time option in 9.9 and earlier. As of 10.0 the > > configure infrastructure has been removed but the source hasn't yet > > been deleted. I expect that will happen soon though. > >=20 > > We'll keep DSA available, at least in stable branches, as long as it's > > reasonably convenient and safe to do so, but won't patch it back in > > once the source is removed. >=20 > Do we have alternative ssh clients in ports which will keep supporting > DSA? >=20 > Lots of old switches out there belong in similar categories and the > =3D+ssh-rsa,ssh-dss >=20 > I think providing a list of alternative clients somewhere for our > users who still need it would be very good. A wiki page or something > so it can be easily maintained? Not endorsing anything just listing it. >=20 --=20 =20 Dr James Allen Phi Network Systems =20 MBL : +44 (0) 7919 332 662 DLN : +44 (0) 28 9343 8236 TEL : +44 (0) 28 93 155 600 FAX : +44 (0) 28 93 155 601 SALES : +44 (0) 845 55 77 600 EMail : Jim.Allen@PhiNetworkSystems.co.uk GPG-key : https://files.phinetworksystems.net/Downloads/GPG-Keys/Jim.Allen-Phi.gpg.as= c https://files.phinetworksystems.net/Downloads/GPG-Keys/Jim.Allen-Phi_allkey= s.gpg.asc S/MIME certificate : https://files.phinetworksystems.net/Downloads/jim.allen-at-phinetworksystem= s.co.uk.pem SKI F3:C3:77:E8:B7:B0:40:48:BD:57:4B:95:99:71:A4:4C:1A:90:9C:67 From nobody Fri Apr 11 02:23:45 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYgTt2LmGz5sKv3 for ; Fri, 11 Apr 2025 02:23:46 +0000 (UTC) (envelope-from brooks@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYgTt1JCKz426Y; Fri, 11 Apr 2025 02:23:46 +0000 (UTC) (envelope-from brooks@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744338226; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/Tj4kf/Kbld7Oc5WaCdeIBppxgEhgMeCceRvdhCFwyY=; b=mmH+CaMgUKIJHJLXHm8QaJ7eq6Oh1I/Ai6mGaXP51LWGWkk8hY3Vzhkn+P5xUBcfllGg0H rJF07ORZBbg/MGXO/Bws5t63qp2nAAdVmk+QAAIrQj3HF49cfoj7dLICrlKjRRHbn5a/m/ ttbFW3mgqcH3J6vly9ZCU/RlVI3jnIM9cJPMT1EHzVAtTJ5FD/QMbO6PiRj5Qwgtb1KCdO 5kdyScOX6Fwwwj584p/FqQhr6K3OZ228PEjrYOIgF/RI6goehk0l5FJbB9n1tdRsVZ0mhT SxODaxhJl46hkTQxfMlPoaX1N4k9yL7iuMb/xSsmon3AG9d/01m8sR3nr43F6Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744338226; a=rsa-sha256; cv=none; b=ij8/G9MQGO2wYt7/XDDlLPBTbH/6yLdbT4mmVfYC8DJi3HCE07qb2XAvQVogZevzdaEsVu UiVl6NrtZxGSGC0nNEsOzdqqoyFJNkOPJTY4v1tf3mxgiCKjHT08csIrZr5gmavh/kv0eH GfTO1WFc/hbTCjFx1QADhMy1hV1uMbwyTT9eSWDiQnHh8XYfqBovpSB6OCu7e2QDH+zSWI mTTjzPZDlyp2zGaos+aqzBmC0xnkPS/j/sF1xtvyd1CoU+PZz9Ww017rhs+wwLHuVe1fbJ idyYJg5etA3QQzh/m64sfuTi8VxkunpvUIBYiAks2ZXGr/hJ8HsFDvd8M6pgpg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744338226; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/Tj4kf/Kbld7Oc5WaCdeIBppxgEhgMeCceRvdhCFwyY=; b=bt5oGPiycUov9UNGURsf/v2oBOiNxxZNQoKneyNFsA702XcjumLK8QvsLJEJs50ks96HDe 4phwwygFAb/bDsae2m2fTJdj3WFdhq31aKgU6r5m61jBgfHldtYl5ll58kpn8zRw3VKcm5 i1Rl3KFut24wENf4ZNybkAd9ZNSvMcuMuNOQMx5k4dzGgeC4aGeMNYDuUeoNuLDK1RXWFx 5O3SU2HYXBLeixoNwwm7bNjqWMoUBrM/sBS6iwY+/Utvh5LQLcDPDLZPPDrY+CMDSqXwHJ Bh3Da6roK18TH31HgDrOeYymo5OsOFsR5lsG5bC1UT5FafHSRA06td3LU7rT/g== Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: brooks/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4ZYgTt0HGSz2JD; Fri, 11 Apr 2025 02:23:46 +0000 (UTC) (envelope-from brooks@freebsd.org) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 71AD03C01A0; Fri, 11 Apr 2025 02:23:45 +0000 (UTC) Date: Fri, 11 Apr 2025 02:23:45 +0000 From: Brooks Davis To: "Bjoern A. Zeeb" Cc: Ed Maste , freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-ID: References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, Apr 10, 2025 at 10:24:49PM +0000, Bjoern A. Zeeb wrote: > On Thu, 10 Apr 2025, Ed Maste wrote: > > > On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp wrote: > > > > > > As long as it's "only" a compile-time option away for FreeBSD to enable > > > this flawed cipher I would like to have it compiled in by default so it > > > doesn't require installing SSH from ports to connect to some stupid old > > > router/switch/UPS/whatever over SSH. As long as it won't negotiate that > > > cipher with the default configuration that's safe enough for my needs. > > > > > > TL;DR: Please keep it enabled it at compile-time, but configured > > > disabled. FreeBSD shouldn't require recompiling the base system to > > > connect to older embedded devices. > > > > It's a compile-time option in 9.9 and earlier. As of 10.0 the > > configure infrastructure has been removed but the source hasn't yet > > been deleted. I expect that will happen soon though. > > > > We'll keep DSA available, at least in stable branches, as long as it's > > reasonably convenient and safe to do so, but won't patch it back in > > once the source is removed. > > Is there any chance to keep an openssh (client) port (possibly with known > security risks)? It seems like it would be reasonable to keep a copy of the 9.8 client around more or less indefinitely. Ideally tracking what ever fixes the longest lived, open Linux LTS is applying. Similarly we have an openssl-unsafe for connecting to old gear. I may be mistaken, but I believe security/putty's upstream takes the maximum compatibility approach. If I'm correct, people may want to switch to it for these needs. For a security/openssh98 or similar we might want to do something similar to the change I'm proposing in CheriBSD-ports where we want to package software with known vulnerabilities (e.g., webp with BLASTPASS) for the purpose of making security demos but make an concerted effort to make it hard to install. I probably wouldn't go as far as the linked USES=vulnerable implementation does, but perhaps it will serve as inspiration. A USES=obsolete:crypto that adds a known prefix and a knob to disable all such ports seems pretty plausible. https://github.com/CTSRD-CHERI/cheribsd-ports/pull/201/commits/3fdf8922f3f416770b265fd35f05c680ed6e00c2 -- Brooks From nobody Fri Apr 11 13:02:24 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYxft5WBkz5ryfj for ; Fri, 11 Apr 2025 13:02:30 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYxft3YNRz3s3D; Fri, 11 Apr 2025 13:02:30 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 53BD2QYY023948 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Fri, 11 Apr 2025 09:02:26 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:5592:2bdb:21e4:8b9a] ([IPv6:2607:f3e0:0:4:5592:2bdb:21e4:8b9a]) by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 53BD2Ose085579 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 11 Apr 2025 09:02:24 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <7995ed42-80a4-422e-82bf-4b9bf79ed192@sentex.net> Date: Fri, 11 Apr 2025 09:02:24 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Heads-up: DSA key support being removed from OpenSSH To: Brooks Davis , "Bjoern A. Zeeb" Cc: Ed Maste , freebsd-security@freebsd.org References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> Content-Language: en-US From: mike tancsa Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Queue-Id: 4ZYxft3YNRz3s3D X-Spamd-Bar: ---- On 4/10/2025 10:23 PM, Brooks Davis wrote: > On Thu, Apr 10, 2025 at 10:24:49PM +0000, Bjoern A. Zeeb wrote: >> Is there any chance to keep an openssh (client) port (possibly with known >> security risks)? > It seems like it would be reasonable to keep a copy of the 9.8 client > around more or less indefinitely. Ideally tracking what ever fixes the > longest lived, open Linux LTS is applying. > > Similarly we have an openssl-unsafe for connecting to old gear. > > I may be mistaken, but I believe security/putty's upstream takes the > maximum compatibility approach. If I'm correct, people may want to > switch to it for these needs. > > For a security/openssh98 or similar we might want to do something I for one GREATLY appreciate FreeBSD's commitment and thoughtfulness around POLA through the years, but I think this is a case where having a separate legacy DSA supporting ssh client is a reasonable path to take for those who need it (I include myself in that list).  I think it makes maintaining OpenSSH a little less brittle through minimizing the divergence in code from upstream.     ---Mike From nobody Sat Apr 12 15:01:06 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZZcL319mTz5s82n for ; Sat, 12 Apr 2025 15:05:15 +0000 (UTC) (envelope-from naddy@mips.inka.de) Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZZcL11zdWz3g9j for ; Sat, 12 Apr 2025 15:05:13 +0000 (UTC) (envelope-from naddy@mips.inka.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of naddy@mips.inka.de designates 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c as permitted sender) smtp.mailfrom=naddy@mips.inka.de Received: from mips.inka.de (naddy@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1u3cPo-009Huz-3V; Sat, 12 Apr 2025 17:05:04 +0200 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.18.1/8.18.1) with ESMTP id 53CF16M6007243 for ; Sat, 12 Apr 2025 17:01:06 +0200 (CEST) (envelope-from naddy@lorvorc.mips.inka.de) Received: (from naddy@localhost) by lorvorc.mips.inka.de (8.18.1/8.18.1/Submit) id 53CF16lL007242 for freebsd-security@freebsd.org; Sat, 12 Apr 2025 17:01:06 +0200 (CEST) (envelope-from naddy) Date: Sat, 12 Apr 2025 17:01:06 +0200 From: Christian Weisgerber To: freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-ID: References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [0.76 / 15.00]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_SPAM_LONG(0.98)[0.977]; NEURAL_HAM_SHORT(-0.92)[-0.921]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:202113, ipnet:2a04:c9c7::/32, country:DE]; FREEFALL_USER(0.00)[naddy]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; MISSING_XM_UA(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[inka.de]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZZcL11zdWz3g9j X-Spamd-Bar: / Brooks Davis: > It seems like it would be reasonable to keep a copy of the 9.8 client > around more or less indefinitely. Ideally tracking what ever fixes the > longest lived, open Linux LTS is applying. Debian even keeps an SSH protocol 1 (!) client around, based on OpenSSH 7.5. https://packages.debian.org/stable/net/openssh-client-ssh1 -- Christian "naddy" Weisgerber naddy@mips.inka.de