From owner-freebsd-security@freebsd.org Mon Jan 30 13:06:13 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B9AACC77E4 for ; Mon, 30 Jan 2017 13:06:13 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D5D87CDB for ; Mon, 30 Jan 2017 13:06:12 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 12E62D04A; Mon, 30 Jan 2017 12:58:17 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 844317339; Mon, 30 Jan 2017 13:57:32 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: heasley Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 References: <20170127173016.GF12175@shrubbery.net> Date: Mon, 30 Jan 2017 13:57:32 +0100 In-Reply-To: <20170127173016.GF12175@shrubbery.net> (heasley's message of "Fri, 27 Jan 2017 17:30:17 +0000") Message-ID: <867f5c66yr.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2017 13:06:13 -0000 heasley writes: > So, what is the BCP to support a v1 client for outbound connections on fb= sd > 11? Hopefully one that I do not need to maintain by building a special s= sh > from ports. Is there a pkg that I'm missing? FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 12 do not, and neither does the openssh-portable port. I'm afraid you will have to find some other SSH client. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Mon Jan 30 19:52:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 066AACC7E9A for ; Mon, 30 Jan 2017 19:52:33 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id E7128173E for ; Mon, 30 Jan 2017 19:52:32 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 56947442D2; Mon, 30 Jan 2017 19:52:26 +0000 (UTC) Date: Mon, 30 Jan 2017 19:52:26 +0000 From: heasley To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Cc: heasley , freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170130195226.GD73060@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <867f5c66yr.fsf@desk.des.no> X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. X-Claimation: an engineer needs a manager like a fish needs a bicycle X-reality: only YOU can put an end to the embarrassment that is Tom Cruise User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Mon, 30 Jan 2017 21:08:03 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2017 19:52:33 -0000 Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Smørgrav: > heasley writes: > > So, what is the BCP to support a v1 client for outbound connections on fbsd > > 11? Hopefully one that I do not need to maintain by building a special ssh > > from ports. Is there a pkg that I'm missing? > > FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 12 > do not, and neither does the openssh-portable port. I'm afraid you will > have to find some other SSH client. That is sad; I doubt that I am the only one who would need this - there are millions of Cisco, HP, and etc network devices that folks must continue to access but will never receive new firmware with sshv2. It takes a long time for some equipment to transition to the recycle bin - even after vendor EOLs. From owner-freebsd-security@freebsd.org Mon Jan 30 21:56:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0496CC827F for ; Mon, 30 Jan 2017 21:56:20 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C55801738 for ; Mon, 30 Jan 2017 21:56:20 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: by mail-it0-x22c.google.com with SMTP id c7so203524947itd.1 for ; Mon, 30 Jan 2017 13:56:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=yPFNPbKdUgd1tiC38WQtLXVDqot/CVHMbQ/eZoSsXV8=; b=AfCvZv0dMijBANc6TC3WFEY4idTLxsxELW7oWnvNa2z+0lIP8ID+49JPQ2e4Bs1aXd ycnGHb53Irus/LoK6ZZ1NVQ7yc8WhuO8KT4gZnCqiZFKN+t8UcJFpUal4dm3NB1zQS3/ O5t2l/m4BPcOqzi6iNONp7MaztPgjFzWJc/ZgCZEBKhgPUMqU0qe8QZetqV7ojoYO2Pk wv2Q7HLsttHDQwTOpf3R9jxmPfCCBpGHML3CZTvMl3GlCeNvfRItHkEEnpX01wzLREed p8ttW7J3ByPj3fjlUhZmzvhChhqk7XrImhug3mCS0ImV6t4imVyIaafV0lfTsacTlcyJ adqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=yPFNPbKdUgd1tiC38WQtLXVDqot/CVHMbQ/eZoSsXV8=; b=XdDUOaE5i4ct618PRP0bsgza+o8xI80SIaq0ojHCkX9GpoyYa1XhtY+dVBWH6jJ8gY 03JAvUY71uzzq9xVR130T4YbiyuzPwE8mgYOoDkW2XCI6cozC70p5xefSUJBzgCB/o1u cwhU35qTPQoFWPATDnA2GafZtXCNdV/oWigCo9zWUnXn7apTimwhGcERTMyaMzTgwNKo 2oEzxuKuiJQI+rIi1cHLqJUKDfub99vKNy2YDkiep7HSiu7lf0+h1FjUBFhTdRUVeHOe Hd748yGlqPpq/Wn5ZnwonMDmTR167yc0b9ci6zbmQeIbAisl0V8mKaJWqE8py+O5o4uF gCUA== X-Gm-Message-State: AIkVDXKMRwY6KSKhsZg5kaTd7alpgUY65kOSSKjj1f6zJZElFmuvlIE8LT00ophiOfkVOoimbY8jZSEOd3TLqA== X-Received: by 10.36.135.194 with SMTP id f185mr17211235ite.85.1485813379162; Mon, 30 Jan 2017 13:56:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.142.199 with HTTP; Mon, 30 Jan 2017 13:56:03 -0800 (PST) In-Reply-To: <20170130195226.GD73060@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> From: jungle Boogie Date: Mon, 30 Jan 2017 13:56:03 -0800 Message-ID: Subject: Re: fbsd11 & sshv1 To: heasley Cc: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2017 21:56:21 -0000 On 30 January 2017 at 11:52, heasley wrote: > Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Sm=C3=B8rgrav: >> heasley writes: >> > So, what is the BCP to support a v1 client for outbound connections on= fbsd >> > 11? Hopefully one that I do not need to maintain by building a specia= l ssh >> > from ports. Is there a pkg that I'm missing? >> >> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 12 >> do not, and neither does the openssh-portable port. I'm afraid you will >> have to find some other SSH client. > > That is sad; I doubt that I am the only one who would need this - there > are millions of Cisco, HP, and etc network devices that folks must contin= ue > to access but will never receive new firmware with sshv2. It takes a lon= g > time for some equipment to transition to the recycle bin - even after > vendor EOLs. Well you have about 7 months until it's deprecated from openssh. What's wrong with continuing to use openSSH 7.4 post sshv1 deprecation? --=20 ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info From owner-freebsd-security@freebsd.org Mon Jan 30 22:52:21 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9FC43CC8054 for ; Mon, 30 Jan 2017 22:52:21 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 67E0E1E38 for ; Mon, 30 Jan 2017 22:52:21 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: by mail-it0-x22d.google.com with SMTP id c7so204446279itd.1 for ; Mon, 30 Jan 2017 14:52:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=UjOtX/Hwr8yFyEQIYZF30O9Nvvd//qAMOn958XSxbi0=; b=t9TQGWSoa7gXrdVJy86yCG7R/VZRWtZ0jW5ni8qKwuBgLzpbQ+P+AwgsZwqvKt9LR2 GufC4nzSw4aozTAyFkcRwFKIXu/lkaa5IcQotin0M/GkuVcivOURVHvJ81PkidwxyoQe B89iU4jjWp9Pudz0nt9cTU3x3B1MFqC5h95BFZCq/81bGBPfZz+cAaJwMYEGul6UIuH8 4v+nYUCoML0UUCHo/SHb2FfWDgrFMu3hhbai7D+lq/Y2vfFvXPHd/0KtIPvbB0uTffD6 x2hNWPpWeYJEl+2p/o/J14ctCV8EhJM9Z6Gphh52W+CoDgJnrDcYtfF57G5KTkxdj+fR KBcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=UjOtX/Hwr8yFyEQIYZF30O9Nvvd//qAMOn958XSxbi0=; b=HLetUBZ+hN/FbBk/cnggijqYLIhPVf9P0bdZAX+MyyWnGQ8ODB/3jNJ9+7p5AI5eOv 01B+9ESyI19uEQzC0+RES5qIAN5GEpjzcb+fLUsWRC/KOXga5l6prOkR2Zs181nhaUEt cfNlz0X+PFULdtVP5w20J/udzKE39+Hk95GZ2QWlozF6XagW/Vh4D3Hj32lbh4g6idDn nciNkQ+uki2OukhHePTnj75zGdL7hSeKZmoF0SvOyebee5e+94KLykp5IJF/k/KIv2QX FxV//F5dBmCr6WKP2Z0+sB/Szq5kFgWwlFD/uHqaRCVKkLjPgvleEWaG3nZ4nijBN3h9 19Mw== X-Gm-Message-State: AIkVDXKPinKF0IYKkRfOhUHnhyxGP/4KYn3/CujwL12QqdDujjTep1FNCBJ8PX32/x+jICdHcHUuSOeCIRjOsA== X-Received: by 10.36.62.133 with SMTP id s127mr18284125its.110.1485816740824; Mon, 30 Jan 2017 14:52:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.142.199 with HTTP; Mon, 30 Jan 2017 14:52:20 -0800 (PST) In-Reply-To: <20170130222443.GL73060@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <20170130222443.GL73060@shrubbery.net> From: jungle Boogie Date: Mon, 30 Jan 2017 14:52:20 -0800 Message-ID: Subject: Re: fbsd11 & sshv1 To: heasley Cc: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2017 22:52:21 -0000 On 30 January 2017 at 14:24, heasley wrote: > Mon, Jan 30, 2017 at 01:56:03PM -0800, jungle Boogie: >> On 30 January 2017 at 11:52, heasley wrote: >> > Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Sm=C3=B8rgrav: >> >> heasley writes: >> >> > So, what is the BCP to support a v1 client for outbound connections= on fbsd >> >> > 11? Hopefully one that I do not need to maintain by building a spe= cial ssh >> >> > from ports. Is there a pkg that I'm missing? >> >> >> >> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and= 12 >> >> do not, and neither does the openssh-portable port. I'm afraid you w= ill >> >> have to find some other SSH client. >> > >> > That is sad; I doubt that I am the only one who would need this - ther= e >> > are millions of Cisco, HP, and etc network devices that folks must con= tinue >> > to access but will never receive new firmware with sshv2. It takes a = long >> > time for some equipment to transition to the recycle bin - even after >> > vendor EOLs. >> >> Well you have about 7 months until it's deprecated from openssh. >> What's wrong with continuing to use openSSH 7.4 post sshv1 >> deprecation? > > whats wrong with providing a 7.4+v1 port for everyone to use? What will happen when 7.4 gets a vulnerability, then? I don't think you or I will be patching it (or anyone else) and therefore, the port/pkg will be knowingly vulnerable. Why do we want that? --=20 ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info From owner-freebsd-security@freebsd.org Mon Jan 30 22:24:45 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 35538CC88FB for ; Mon, 30 Jan 2017 22:24:45 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id 2020D1E62 for ; Mon, 30 Jan 2017 22:24:44 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 2256244723; Mon, 30 Jan 2017 22:24:44 +0000 (UTC) Date: Mon, 30 Jan 2017 22:24:44 +0000 From: heasley To: jungle Boogie Cc: heasley , Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170130222443.GL73060@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. X-Claimation: an engineer needs a manager like a fish needs a bicycle X-reality: only YOU can put an end to the embarrassment that is Tom Cruise User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Mon, 30 Jan 2017 23:05:02 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2017 22:24:45 -0000 Mon, Jan 30, 2017 at 01:56:03PM -0800, jungle Boogie: > On 30 January 2017 at 11:52, heasley wrote: > > Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Smørgrav: > >> heasley writes: > >> > So, what is the BCP to support a v1 client for outbound connections on fbsd > >> > 11? Hopefully one that I do not need to maintain by building a special ssh > >> > from ports. Is there a pkg that I'm missing? > >> > >> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 12 > >> do not, and neither does the openssh-portable port. I'm afraid you will > >> have to find some other SSH client. > > > > That is sad; I doubt that I am the only one who would need this - there > > are millions of Cisco, HP, and etc network devices that folks must continue > > to access but will never receive new firmware with sshv2. It takes a long > > time for some equipment to transition to the recycle bin - even after > > vendor EOLs. > > Well you have about 7 months until it's deprecated from openssh. > What's wrong with continuing to use openSSH 7.4 post sshv1 > deprecation? whats wrong with providing a 7.4+v1 port for everyone to use? From owner-freebsd-security@freebsd.org Tue Jan 31 06:11:43 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3D71CC9B8F for ; Tue, 31 Jan 2017 06:11:42 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C0607E81 for ; Tue, 31 Jan 2017 06:11:42 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: by mail-pf0-x22f.google.com with SMTP id 189so100512420pfu.3 for ; Mon, 30 Jan 2017 22:11:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=NkGqnuL//V6zu6Tx/xvITpkYq51ARxup88z7Bu9P/sk=; b=nRsNuaAduiL5OZF1eM0vwZ8LO5OXHiL04xPdo4jIc2uBx41ykBge9R4dZ6zqtkHGih qiK9RC0VtjnCQfXyactO3WEEoatiXOT3rTxl5I0QQdzPIbSGcpYDmwbyu71GOlDlWDNB inGTdEnw+EFPZ5ctPvSdcx1IKW07FUAig8G5XOFgGArGC6fVjZuuXmM4HPjMAIGnUzjk WrywJQw1rcfffds2e/HUZD+zy/5HRCsk0m6Ef+cdII38L1Rj135irliXZ7bzC+W/jY/p xwdsUkX/cduzGn6XLOcRmgNfWLAwQMbcYUX1DvB8JN+6ut8kDn0xgvFDlUXwjOPETG8V BE9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=NkGqnuL//V6zu6Tx/xvITpkYq51ARxup88z7Bu9P/sk=; b=W2xH5S0RkDDtglJVYAdPgMhQaRNeM7ExtgMApFB6wxc7+C2WsfN7kFKeTQ0EkYLKV1 bYm5fAZJgYHkbIc+TiXqviQ66zKgSj5So2x+tHyu7iF5W/dAGi/exjFnKL7G/1vZxkqg CWg6TvBg75fTfdXwxQmeeI5Q3Xq47gEnTMGp+m5SEdqKrptY+MZv0qZtPhl6F8FBXlJT hfpvzc/FPoELrhnysDZezMoi9efdVjvOCUmeLN+iOX5OiwkX6CmKSvYJrdwZRZqUgxBD oyeTxTWP8RC3AnaYU2vv7pdGIcddizWTe9+zF+oDEMZMG5K+sWWz4V5EjzL0xXIjzMmg IMwg== X-Gm-Message-State: AIkVDXL55yBUvmNSu0MDuG/k6rBINFUj7sUFGSyaTQ4zj8MtSSg/WNB+/TgWoMD9KEHExA== X-Received: by 10.84.228.194 with SMTP id y2mr5729169pli.156.1485843102194; Mon, 30 Jan 2017 22:11:42 -0800 (PST) Received: from ?IPv6:2600:8801:2a04:2200:9219:b518:c758:ea36? ([2600:8801:2a04:2200:9219:b518:c758:ea36]) by smtp.gmail.com with ESMTPSA id u124sm37474824pgb.6.2017.01.30.22.11.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Jan 2017 22:11:41 -0800 (PST) Subject: Re: fbsd11 & sshv1 To: Heasley References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <20170130222443.GL73060@shrubbery.net> <0A1A9F5A-0102-4FED-9B82-E081C29103AD@shrubbery.net> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-security@freebsd.org From: jungle boogie Message-ID: Date: Mon, 30 Jan 2017 22:11:39 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <0A1A9F5A-0102-4FED-9B82-E081C29103AD@shrubbery.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 06:11:43 -0000 On 01/30/2017 09:36 PM, Heasley wrote: >>> whats wrong with providing a 7.4+v1 port for everyone to use? >> >> What will happen when 7.4 gets a vulnerability, then? I don't think >> you or I will be patching it (or anyone else) and therefore, the >> port/pkg will be knowingly vulnerable. >> >> Why do we want that? > > So you ate advocating telnet? Such a client is likely better still than telnet, which is the only alternative. > No, I've explained what I've advocated: compile 7.4 yourself and use if for your own needs. Having FreeBSD keep deprecated software around doesn't seem practical to me, and it seems this is also what FreeBSD security also believes. Sorry that you're working with legacy hardware. > Without a pkg, folks are forced to maintain it themselves. Which is more likely to receive less attention between now and EoS for v1? > > Dont make choices for or impose your rhetoric upon others, provide them the tools to make their choices. > Fact: I'm not imposing anything as I have no say in FreeBSD's security at all. FWIW, in May 2016 it the openssh team announced their intentions to disable ssh v1: http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-May/035069.html It also looks like they pushed the deprecation from June to August as well. Looks like ssh v1 was disabled at compile time in March 2015: http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033701.html So unsurprisingly, it looks like they've communicated the desire to remove sshv1 for awhile. From owner-freebsd-security@freebsd.org Tue Jan 31 10:49:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 483C4CC9656 for ; Tue, 31 Jan 2017 10:49:53 +0000 (UTC) (envelope-from terje@elde.net) Received: from mx.serverlauget.no (mx.serverlauget.no [IPv6:2a01:4f8:200:34a4::1:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.serverlauget.no", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 142EA1B5 for ; Tue, 31 Jan 2017 10:49:52 +0000 (UTC) (envelope-from terje@elde.net) Received: from [192.168.202.158] (66.85-200-224.bkkb.no [85.200.224.66]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: terje@elde.net) by smtp.serverlauget.no (Postfix) with ESMTPSA id 298C96A8D; Tue, 31 Jan 2017 10:49:20 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: fbsd11 & sshv1 From: Terje Elde In-Reply-To: <20170130195226.GD73060@shrubbery.net> Date: Tue, 31 Jan 2017 11:49:44 +0100 Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <320E35B3-7200-4804-928C-686657FCDFBE@elde.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> To: heasley X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 10:49:53 -0000 > On 30 Jan 2017, at 20:52, heasley wrote: >=20 > That is sad; I doubt that I am the only one who would need this - = there > are millions of Cisco, HP, and etc network devices that folks must = continue > to access but will never receive new firmware with sshv2. It takes a = long > time for some equipment to transition to the recycle bin - even after > vendor EOLs. I get your point, but there are other ways to go about this. The right way to go about it would IMHO be fairly simple: If you have few boxes, bin them. If they=E2=80=99re not getting = firmware updates, ssh v1 isn=E2=80=99t your only problem. If you have too many critical or expensive boxes to make that practical, = you can probably afford a Soekris, Raspberry Pi or similar, that you can = keep at FreeBSD 10, and use as a jump host. Which you should probably = have anyway, if your equipment is no longer getting updates. Either way; problem solved, and relatively cleanly so. =E2=80=9CWe have that crud over there, so we must keep this crud over = here=E2=80=9D really isn=E2=80=99t the way to move security forward, = especially not when better solutions are easily available. SSH2 has = been around for a decade now, it=E2=80=99s time to let go of SSH1, at = least in primary systems. Terje From owner-freebsd-security@freebsd.org Tue Jan 31 12:25:16 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50544CC9D00 for ; Tue, 31 Jan 2017 12:25:16 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 176561A2C for ; Tue, 31 Jan 2017 12:25:15 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id A702EDB66; Tue, 31 Jan 2017 12:25:13 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 45E89744F; Tue, 31 Jan 2017 13:24:29 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: heasley Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> Date: Tue, 31 Jan 2017 13:24:29 +0100 In-Reply-To: <20170130195226.GD73060@shrubbery.net> (heasley's message of "Mon, 30 Jan 2017 19:52:26 +0000") Message-ID: <867f5bfmde.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 12:25:16 -0000 heasley writes: > Dag-Erling Sm=C3=B8rgrav writes: > > FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 > > and 12 do not, and neither does the openssh-portable port. I'm > > afraid you will have to find some other SSH client. > That is sad; You know what would be even sadder? If the OpenSSH developers had to continue to devote significant resources to maintaining a rat's nest of legacy code so 0.0001% of their users could continue to use an obsolete protocol to connect to obsolete equipment, instead of devoting those same resources to developing new features and improving existing ones. Especially when those users have plenty of alternatives to choose from, including but not limited to security/putty. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Jan 31 05:36:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0194CC9F0D for ; Tue, 31 Jan 2017 05:36:33 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id 9AD241CB6 for ; Tue, 31 Jan 2017 05:36:33 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from [198.58.5.42] (unknown [198.58.5.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by guelah.shrubbery.net (Postfix) with ESMTPSA id 234C044DC3; Tue, 31 Jan 2017 05:36:32 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: fbsd11 & sshv1 From: Heasley X-Mailer: iPhone Mail (14C92) In-Reply-To: Date: Mon, 30 Jan 2017 21:36:31 -0800 Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <0A1A9F5A-0102-4FED-9B82-E081C29103AD@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <20170130222443.GL73060@shrubbery.net> To: jungle Boogie X-Mailman-Approved-At: Tue, 31 Jan 2017 13:02:59 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 05:36:33 -0000 Am 30.01.2017 um 14:52 schrieb jungle Boogie : >=20 >> On 30 January 2017 at 14:24, heasley wrote: >> Mon, Jan 30, 2017 at 01:56:03PM -0800, jungle Boogie: >>>> On 30 January 2017 at 11:52, heasley wrote: >>>> Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Sm=C3=B8rgrav: >>>>> heasley writes: >>>>>> So, what is the BCP to support a v1 client for outbound connections o= n fbsd >>>>>> 11? Hopefully one that I do not need to maintain by building a speci= al ssh >>>>>> from ports. Is there a pkg that I'm missing? >>>>>=20 >>>>> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 1= 2 >>>>> do not, and neither does the openssh-portable port. I'm afraid you wi= ll >>>>> have to find some other SSH client. >>>>=20 >>>> That is sad; I doubt that I am the only one who would need this - there= >>>> are millions of Cisco, HP, and etc network devices that folks must cont= inue >>>> to access but will never receive new firmware with sshv2. It takes a l= ong >>>> time for some equipment to transition to the recycle bin - even after >>>> vendor EOLs. >>>=20 >>> Well you have about 7 months until it's deprecated from openssh. >>> What's wrong with continuing to use openSSH 7.4 post sshv1 >>> deprecation? >>=20 >> whats wrong with providing a 7.4+v1 port for everyone to use? >=20 > What will happen when 7.4 gets a vulnerability, then? I don't think > you or I will be patching it (or anyone else) and therefore, the > port/pkg will be knowingly vulnerable. >=20 > Why do we want that? So you ate advocating telnet? Such a client is likely better still than teln= et, which is the only alternative.=20 Without a pkg, folks are forced to maintain it themselves. Which is more lik= ely to receive less attention between now and EoS for v1? Dont make choices for or impose your rhetoric upon others, provide them the t= ools to make their choices.=20 >=20 > --=20 > ------- > inum: 883510009027723 > sip: jungleboogie@sip2sip.info From owner-freebsd-security@freebsd.org Tue Jan 31 08:32:22 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AD17CCAAAD for ; Tue, 31 Jan 2017 08:32:22 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from mail.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "0x20.net", Issuer "StartCom Class 1 DV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C90B1A27 for ; Tue, 31 Jan 2017 08:32:22 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.0x20.net (Postfix) with ESMTPS id 8BB096E0081; Tue, 31 Jan 2017 09:32:18 +0100 (CET) Received: from e-new.0x20.net (localhost [127.0.0.1]) by e-new.0x20.net (8.14.7/8.14.7) with ESMTP id v0V8WIUs018287; Tue, 31 Jan 2017 09:32:18 +0100 (CET) (envelope-from lars@e-new.0x20.net) Received: (from lars@localhost) by e-new.0x20.net (8.14.7/8.14.7/Submit) id v0V8WHm3017210; Tue, 31 Jan 2017 09:32:17 +0100 (CET) (envelope-from lars) Date: Tue, 31 Jan 2017 09:32:17 +0100 From: Lars Engels To: heasley Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170131083217.GG25286@e-new.0x20.net> Mail-Followup-To: Lars Engels , heasley , freebsd-security@freebsd.org References: <20170127173016.GF12175@shrubbery.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="A3bjmUvO/1DXpqhN" Content-Disposition: inline In-Reply-To: <20170127173016.GF12175@shrubbery.net> X-Editor: VIM - Vi IMproved 7.4 X-Operation-System: FreeBSD 8.4-RELEASE-p35 User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Tue, 31 Jan 2017 13:03:14 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 08:32:22 -0000 --A3bjmUvO/1DXpqhN Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 27, 2017 at 05:30:17PM +0000, heasley wrote: > I do appreciate fbsd's and openssh's altruism with the removal of v1 supp= ort. > But, the fact is that there is equipment in the wild that does not support > v2 and never will and otherwise works perfectly fine, yet sshv1 is still a > better choice than telnet. >=20 > So, what is the BCP to support a v1 client for outbound connections on fb= sd > 11? Hopefully one that I do not need to maintain by building a special s= sh > from ports. Is there a pkg that I'm missing? If you can use a GTK application, there's security/putty which supports SSHv1. --A3bjmUvO/1DXpqhN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQF8BAEBCgBmBQJYkEuRXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RjQwMDE3RTRERjUzMTI1N0FGRTUxNDlF NTRDQjM3RDNBMDg5RDZEAAoJEOVMs306CJ1tTgQIAMIStrYSpSDwPIDW2b5YaCQY 5ltbLCcQKXTqvisE57zBwnW+an0KQ9PA5XRrnpHqWaSqZ2pBJiBirEfaOnGzzBZi bhY0qoroI9sVJWBDpTviJ078oRDVbXUDQqlaeD/hdk5EGRiHNH4u4QYzikl7WHp+ 8HeXnETdn1VFiNftPulq7FtORav238mSuPWfoRMnHRtW1pxiA72U5bvKzi94CiHj 57PsnSlTdzEdHfWw8pqyzyCvy5QYETuDvWZA91eMQAb0Ny6Qg06Lfm0D4rEuYIxa Csr5tev7ydzI99mmKIP69pdW1CXg5mbvWVeNlWrPwGJ8GG04olkErKtMoUKKdoE= =P9QZ -----END PGP SIGNATURE----- --A3bjmUvO/1DXpqhN-- From owner-freebsd-security@freebsd.org Tue Jan 31 12:13:03 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D321ECC9984 for ; Tue, 31 Jan 2017 12:13:03 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from mail.anongoth.pl (anongoth.pl [88.156.79.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anongoth.pl", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BCE81571 for ; Tue, 31 Jan 2017 12:13:02 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from mail.anongoth.pl (localhost [127.0.1.10]) by mail.anongoth.pl (Postfix) with ESMTP id D90081FEE2 for ; Tue, 31 Jan 2017 13:12:52 +0100 (CET) X-Virus-Scanned: amavisd-new at anongoth.pl Received: from mail.anongoth.pl ([127.0.1.10]) by mail.anongoth.pl (anongoth.pl [127.0.1.10]) (amavisd-new, port 10024) with LMTP id 29PNFndsdRDg for ; Tue, 31 Jan 2017 13:12:49 +0100 (CET) Received: from anongoth.pl (unknown [46.248.161.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: pkubaj@anongoth.pl) by mail.anongoth.pl (Postfix) with ESMTPSA id 5ACCA1FED3 for ; Tue, 31 Jan 2017 13:12:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anongoth.pl; s=ANONGOTH; t=1485864769; bh=yEdKxYas30K78omwJf3/EvBYwmpy9lQ2XMn5mI+DZIo=; h=Date:From:To:Subject:References:In-Reply-To; b=bpBIGrxXTAcqQh2oPZ4pw6yN1hPjsSa7rcQfMdkvDWYsmy99QBO4wwQqzZ0bW6nSv 2OpPAYdcOzCC2nyuJ954YSv7FNjVeNTKOZHVWseVAA8yq6gjfsLlS4O4YQnlE+NkVR J9Jd7fHNrkQLmF16QxziHg5dtuelXF1d4rkdbSnAWoUTsrTltKLdY95PvhWOMjXwlT pGY9H8GVIBTUSCftb/XM02h59GfDO32AIcV2mOSv9G20dbnbqZzDAut7BXYqkmyvLm DGxTT0NIC7TBPKqpl2XDmcIz6mArGPD2Pm1AijEjpl8gJrJd01AS541Uh/O2L7AhbR 6VsNyy+4Pg7gw== Date: Tue, 31 Jan 2017 13:12:48 +0100 From: Piotr Kubaj To: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170131121248.GC74900@chujemuje> Mail-Followup-To: freebsd-security@freebsd.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Tue, 31 Jan 2017 13:25:12 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 12:13:03 -0000 --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=utf-8 Content-Disposition: inline I believe FreeBSD should just have a slave port with OpenSSH 7.4, used only for SSHv1. People using such port should know the consequences of it. Debian does it too with https://packages.debian.org/stretch/openssh-client-ssh1 --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEycyIeNkkgohzsoorelmbhSCDnJ0FAliQf0AACgkQelmbhSCD nJ2WRw/+O20z9mciHBsqCRaUGS0VM2u5IK0GpPQ8pdD18ddLUaZQnJ72MMtzXoTU ChlEnYfi9k/4zdpi5xGkmDh74liW5desitaM8mkGVjduXHIifRIhiwXAB84bYclR /mNkO8pX9H3QQOzdCG5Gw4hqX/GXoCLwd80KBGlhZExjjqBXuklOmH50G4PPfJFa dpt5CHOI487eI6wWFz+Y9to+BEg1hqlBqKUjCv2ooVgKJj+9Sq1Y36KGF/aCZI5k l2dy/Ecdx+34WBV+bwb9kTI043mCiZ3x6UwgMKa1AkoSWX2DKuenpL1sRTwBqMQj nmabzFl/WrEOZ/tGd4DRlwIaefvvTAUV+jG2YDn8b/pYzBZd0DnSUkiOdkrO5pJE vOhBfScNNMsoZkwShpWQ6yRTx1JK/p8obygOZkf4q38lwsFS4WXQF9xN9F6Ck9Ok EKk0GYFkS+1LYD16RYp9BAQoWwtsuF8kovE708OeUXjMdTMMjuX5BW/fxKJRgWTd SeH5lfa2HWsfuNsaPrwFBJu07rJB9Mqa71161k+cfzKRyr+15UAtaflw1Jf0I+t8 h8CqF2dyPDS9Xf2EAQERF7twuOsZd2JFjTXwBUypy0c/RmsQdsVEIdcqsl4yPkN1 oWa1frBFbeExUW1O3okESQ+p9OrJVn6YXMhBbOLucoYnvV7Ja/Q= =9HGS -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD-- From owner-freebsd-security@freebsd.org Tue Jan 31 20:17:29 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF742CCA1B8 for ; Tue, 31 Jan 2017 20:17:29 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id 9B4A31C1 for ; Tue, 31 Jan 2017 20:17:29 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 01CAB457DD; Tue, 31 Jan 2017 20:17:23 +0000 (UTC) Date: Tue, 31 Jan 2017 20:17:22 +0000 From: heasley To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Cc: heasley , freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170131201722.GH11924@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <867f5bfmde.fsf@desk.des.no> X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. X-Claimation: an engineer needs a manager like a fish needs a bicycle X-reality: only YOU can put an end to the embarrassment that is Tom Cruise User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Tue, 31 Jan 2017 21:21:39 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 20:17:29 -0000 Tue, Jan 31, 2017 at 01:24:29PM +0100, Dag-Erling Smørgrav: > heasley writes: > > Dag-Erling Smørgrav writes: > > > FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 > > > and 12 do not, and neither does the openssh-portable port. I'm > > > afraid you will have to find some other SSH client. > > That is sad; > > You know what would be even sadder? If the OpenSSH developers had to > continue to devote significant resources to maintaining a rat's nest of > legacy code so 0.0001% of their users could continue to use an obsolete > protocol to connect to obsolete equipment, instead of devoting those > same resources to developing new features and improving existing ones. > Especially when those users have plenty of alternatives to choose from, > including but not limited to security/putty. I was not suggesting that openssl maintain their apparently messy code; they're maintaining it already, for whatever the remaining period is. i'm suggesting a port with a v1 client; that is built with all the other binary ports for abi changes and whatever else is reasonable. yes, i can build my own, but i feel it should be a port. I appreciate the putty suggestion, but it appears to be graphical only. Happy to have it pointed-out that I've missed a port having v1. i also understand the devote position of buy new equipment to advance security; its simply not going to happen anytime soon. and i'm not alone. i'm not rich, i don't crontrol depreciation schedules, etc etc. From owner-freebsd-security@freebsd.org Tue Jan 31 21:41:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB4B6CCA116 for ; Tue, 31 Jan 2017 21:41:34 +0000 (UTC) (envelope-from mtoth@queldor.net) Received: from queldor.net (mail.queldor.net [209.6.82.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C84F41886 for ; Tue, 31 Jan 2017 21:41:34 +0000 (UTC) (envelope-from mtoth@queldor.net) Received: from c-73-89-119-190.hsd1.ma.comcast.net ([73.89.119.190] helo=[10.0.1.3]) by queldor.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1cYgB6-000Lrk-TE; Tue, 31 Jan 2017 16:41:29 -0500 Subject: Re: fbsd11 & sshv1 To: heasley , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> Cc: freebsd-security@freebsd.org From: Michael Toth Message-ID: <3d6298a5-bcea-4880-024e-56628308d8e2@queldor.net> Date: Tue, 31 Jan 2017 16:41:27 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 MIME-Version: 1.0 In-Reply-To: <20170131201722.GH11924@shrubbery.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Trace: U2FsdGVkX1+StRmaQZN+C7POmiw8584oKx7hanEwhHZjIIJeap8epLDHQaywcjZDfAzL9IurV3s= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 21:41:35 -0000 On 1/31/2017 3:17 PM, heasley wrote: > Tue, Jan 31, 2017 at 01:24:29PM +0100, Dag-Erling Smørgrav: >> heasley writes: >>> Dag-Erling Smørgrav writes: >>>> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 >>>> and 12 do not, and neither does the openssh-portable port. I'm >>>> afraid you will have to find some other SSH client. >>> That is sad; >> >> You know what would be even sadder? If the OpenSSH developers had to >> continue to devote significant resources to maintaining a rat's nest of >> legacy code so 0.0001% of their users could continue to use an obsolete >> protocol to connect to obsolete equipment, instead of devoting those >> same resources to developing new features and improving existing ones. >> Especially when those users have plenty of alternatives to choose from, >> including but not limited to security/putty. > > I was not suggesting that openssl maintain their apparently messy code; > they're maintaining it already, for whatever the remaining period is. > i'm suggesting a port with a v1 client; that is built with all the other > binary ports for abi changes and whatever else is reasonable. yes, i > can build my own, but i feel it should be a port. > > I appreciate the putty suggestion, but it appears to be graphical only. > Happy to have it pointed-out that I've missed a port having v1. > > i also understand the devote position of buy new equipment to advance > security; its simply not going to happen anytime soon. and i'm not alone. > i'm not rich, i don't crontrol depreciation schedules, etc etc. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > There is a non-graphical port of putty (putty-nogtk) which installs plink From owner-freebsd-security@freebsd.org Wed Feb 1 10:16:02 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 35C5DCC93BA for ; Wed, 1 Feb 2017 10:16:02 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 01F06A51 for ; Wed, 1 Feb 2017 10:16:01 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id C3D85D610; Wed, 1 Feb 2017 10:15:54 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 86192752B; Wed, 1 Feb 2017 11:15:10 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: heasley Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> Date: Wed, 01 Feb 2017 11:15:10 +0100 In-Reply-To: <20170131201722.GH11924@shrubbery.net> (heasley's message of "Tue, 31 Jan 2017 20:17:22 +0000") Message-ID: <86y3xqdxox.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2017 10:16:02 -0000 heasley writes: > Dag-Erling Sm=C3=B8rgrav writes: > > You know what would be even sadder? If the OpenSSH developers had > > to continue to devote significant resources to maintaining a rat's > > nest of legacy code [...] > I was not suggesting that openssl maintain their apparently messy > code; they're maintaining it already, for whatever the remaining > period is. The legacy code I'm referring to is code they inherited from Tatu Yl=C3=B6n= en and have worked diligently to improve over the last 15 years. But SSH1 is a shitty protocol and too different from SSH2 to be easily integrated into a single framework. There really isn't much point in expending any more effort on it. > i'm suggesting a port with a v1 client; that is built with all the other > binary ports for abi changes and whatever else is reasonable. yes, i > can build my own, but i feel it should be a port. You mean like net/tcpdump398, which was forked from net/tcpdump because some people liked its output format better than that of tcpdump 4, and then forgotten, and is known to have dozens of security vulnerabilities? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Feb 1 12:11:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C459CCA1D1 for ; Wed, 1 Feb 2017 12:11:32 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from mail.anongoth.pl (anongoth.pl [88.156.79.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anongoth.pl", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0472E1222 for ; Wed, 1 Feb 2017 12:11:31 +0000 (UTC) (envelope-from pkubaj@anongoth.pl) Received: from mail.anongoth.pl (localhost [127.0.1.10]) by mail.anongoth.pl (Postfix) with ESMTP id 126DA1F674 for ; Wed, 1 Feb 2017 13:11:27 +0100 (CET) X-Virus-Scanned: amavisd-new at anongoth.pl Received: from mail.anongoth.pl ([127.0.1.10]) by mail.anongoth.pl (anongoth.pl [127.0.1.10]) (amavisd-new, port 10024) with LMTP id DwfGx2zJvrhs for ; Wed, 1 Feb 2017 13:11:24 +0100 (CET) Received: from anongoth.pl (unknown [46.248.161.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: pkubaj@anongoth.pl) by mail.anongoth.pl (Postfix) with ESMTPSA id AB64B1F663 for ; Wed, 1 Feb 2017 13:11:22 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anongoth.pl; s=ANONGOTH; t=1485951083; bh=qFSxsKLPM1p2HBZsDB8C8rlN7tmcqT7SWNylqtVTOhU=; h=Date:From:To:Subject:References:In-Reply-To; b=Dphvr/6TC0Yrdk/umiaLLzG16+CqrBoxDRjWUA3G2rd8YXxzZg+r7/j0uT6G20TVh Haa3UpuBTdGxj8O7H+lf8SR6rzQ3HyNKnRZczYeQ1iZQyqimZyX5c/LNfHJQHuhtZq +AKv0tRhU+ywIih7zNcjaXVv1wAvrqoqHAlOIS5GnErm2R6sAUheNBa6sEEpf5Xc8c 2VALnI3IGbl6DrXRTuvCBatPhFv4dMfBr4Vnb9X0NxAxyAmhWzsALOLwLTPoEJOraD xfaesf57/y37pGTQAsfOJ/YRdjjrBHzmZAIowjpX4g8e8EXM3WNQTaVR8niLqWL4xH EsJvVqwdV+vYA== Date: Wed, 1 Feb 2017 13:11:21 +0100 From: Piotr Kubaj To: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170201121121.GA75931@chujemuje> Mail-Followup-To: freebsd-security@freebsd.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.2 (2016-11-26) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2017 12:11:32 -0000 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=utf-8 Content-Disposition: inline > You mean like net/tcpdump398, which was forked from net/tcpdump because > some people liked its output format better than that of tcpdump 4, and > then forgotten, and is known to have dozens of security vulnerabilities? We shouldn't forbid people to shoot themselves in their heads. If someone needs it, they should get, especially since it won't require much maintainance. Just repocopy the port and mark as deprecated and vulnerable next time there's a CVE in OpenSSH. --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEycyIeNkkgohzsoorelmbhSCDnJ0FAliR0GkACgkQelmbhSCD nJ0ueRAAhPXI4wgHZ4YNKsnh+IMbpMC27S2ERzTlvUwBqYe+lnurleCD7K7sKJ7c 1+eZjWregBW/NcW536MJIeLQSbRqpfHs8Yj6htdTQrBGYA2fL9qdXvMiDJMtnWaA OLnxdV+vjjZB63Xs4Td+a+F2xE/+UqDYYXOQYZBGc0yW19m69JCmNI3NY2+qhCT/ scUQ5ukp8xvY/QxrvIhMAosNx8jXJ64RDZAgjL61CjNiKkuaKC8TJiHHAZhy4ud3 2lKpGCcdJDVgm0oBPhNiD7JYiaBfT+6p7FJiNHMZEtCVi9IR/1oxA7k6PjZBHZSw ZazIxNsCZuDNgeasMj0FZWyy4g0YCZUyMr/MjO6bG7fSpAnTYCLVYCga+gxb6btk jBJu4/jxExf5Ua5Ktn3oNTbzSJAFIZV28TsUP3+80VvMmdmDwxCGXwB9CS251em2 pQAIOQf26japywRn9BrduUiuEpx3Wr5Wfls4jvum8F3EmDsoDzlTl6dA/hZbWW3B uMaFaSTtS3oNaGBAFBgXeajcUNEoAgTF9CsZ08OBhnOdbfQk+rnwIyjs3Wfc2qft 5F0VdHRDVBLlpOXMi6uwcoLjv6Jz1pF4B70BlD3zz5Zv2dUTk9/Va5P0QY8CCUXN Ktt3n1WQVmcCTACZr2Q4AsuAjYSI7GlLSLRR+LIJeDWIUoq93Sk= =s1z0 -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- From owner-freebsd-security@freebsd.org Wed Feb 1 13:35:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42AE5CC2AE6 for ; Wed, 1 Feb 2017 13:35:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3682331 for ; Wed, 1 Feb 2017 13:35:16 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [206.40.34.50]) by mx5.roble.com (Postfix) with ESMTP id 126272E980 for ; Wed, 1 Feb 2017 05:31:28 -0800 (PST) Date: Wed, 1 Feb 2017 05:31:28 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 In-Reply-To: <20170131121248.GC74900@chujemuje> Message-ID: <1702010520560.39428@mx5.roble.com> References: <20170131121248.GC74900@chujemuje> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2017 13:35:17 -0000 > I believe FreeBSD should just have a slave port with OpenSSH 7.4, used only > for SSHv1. People using such port should know the consequences of it. This could be a good candidate for a new ports category, /usr/ports/legacy If implemented there is a lot of code, in both ports and base, that should be relocated. (telnet, rsh/rlogin/rcp/..., nis/yp, rpc.*, cvs, games, ppp, sendmail, finger, ...) Roger From owner-freebsd-security@freebsd.org Wed Feb 1 13:48:25 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 744D0CC2E4A for ; Wed, 1 Feb 2017 13:48:25 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2DB01827 for ; Wed, 1 Feb 2017 13:48:25 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1cYvGm-0005jU-U5; Wed, 01 Feb 2017 16:48:20 +0300 Date: Wed, 1 Feb 2017 16:48:20 +0300 From: Slawa Olhovchenkov To: Roger Marquis Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170201134820.GC79121@zxy.spb.ru> References: <20170131121248.GC74900@chujemuje> <1702010520560.39428@mx5.roble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1702010520560.39428@mx5.roble.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2017 13:48:25 -0000 On Wed, Feb 01, 2017 at 05:31:28AM -0800, Roger Marquis wrote: > > I believe FreeBSD should just have a slave port with OpenSSH 7.4, used only > > for SSHv1. People using such port should know the consequences of it. > > This could be a good candidate for a new ports category, > > /usr/ports/legacy > > If implemented there is a lot of code, in both ports and base, that > should be relocated. (telnet, rsh/rlogin/rcp/..., nis/yp, rpc.*, cvs, > games, ppp, sendmail, finger, ...) ...nfs, kerberos, sshv2, top, GENERIC, cp, mv, ifconfig, netstat... From owner-freebsd-security@freebsd.org Wed Feb 1 22:30:46 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9FA23CCC803 for ; Wed, 1 Feb 2017 22:30:46 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 60DA9172E for ; Wed, 1 Feb 2017 22:30:45 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id OAA15630; Wed, 1 Feb 2017 14:38:22 -0700 (MST) Message-Id: <201702012138.OAA15630@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 01 Feb 2017 14:37:41 -0700 To: Piotr Kubaj , freebsd-security@freebsd.org From: Brett Glass Subject: Re: fbsd11 & sshv1 In-Reply-To: <20170201121121.GA75931@chujemuje> References: <20170201121121.GA75931@chujemuje> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2017 22:30:46 -0000 At 05:11 AM 2/1/2017, Piotr Kubaj via freebsd-security wrote: >We shouldn't forbid people to shoot themselves in their heads. If >someone needs it, they should get, especially since it won't >require much maintainance. >Just repocopy the port and mark as deprecated and vulnerable next >time there's a CVE in OpenSSH. Perhaps it would be best if the SSHv1 code were encapsulated in a library which could be used to access perfectly good equipment for which new software/firmware is not being developed. This would keep the code, whatever its quality, out of the main SSH codebase but still make it possible to access vital gear as needed. My company has equipment that would cost more than we could afford to replace that runs only SSHv1, and is well protected from attacks by other means (such as firewalls and VPNs). It's perfectly safe to use SSHv1 with it, and a darned sight safer than devolving to Telnet. Just as it's useful to have a way of accessing devices that use SSLv3 (we maintain browsers specifically for that purpose), it pays to have a way to get at an embedded device that will never support versions of SSH beyond v1. --Brett Glass From owner-freebsd-security@freebsd.org Thu Feb 2 04:41:13 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7AA98CCDB6B for ; Thu, 2 Feb 2017 04:41:13 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 066701A3C for ; Thu, 2 Feb 2017 04:41:12 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id v124DvUR012945 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Feb 2017 15:14:03 +1100 (AEDT) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id v124DpuK017932 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 2 Feb 2017 15:13:51 +1100 (AEDT) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id v124DooO017931; Thu, 2 Feb 2017 15:13:50 +1100 (AEDT) (envelope-from peter) Date: Thu, 2 Feb 2017 15:13:50 +1100 From: Peter Jeremy To: heasley Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170202041350.GA17877@server.rulingia.com> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline In-Reply-To: <20170130195226.GD73060@shrubbery.net> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.7.2 (2016-11-26) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 04:41:13 -0000 --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2017-Jan-30 19:52:26 +0000, heasley wrote: >Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Sm=C3=B8rgrav: >> heasley writes: >> > So, what is the BCP to support a v1 client for outbound connections on= fbsd >> > 11? Hopefully one that I do not need to maintain by building a specia= l ssh >> > from ports. Is there a pkg that I'm missing? >>=20 >> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 12 >> do not, and neither does the openssh-portable port. I'm afraid you will >> have to find some other SSH client. > >That is sad; I doubt that I am the only one who would need this - there >are millions of Cisco, HP, and etc network devices that folks must continue >to access but will never receive new firmware with sshv2. It takes a long >time for some equipment to transition to the recycle bin - even after >vendor EOLs. I firmly support the removal of SSHv1 from FreeBSD base. OTOH, I realise that there may be reasons why old equipment is retained far longer than desirable and agree that SSHv1 has some benefits over TELNET. My suggestion is that someone=E2=84=A2 who has a pressing need for a SSHv1 = client creates a net/ssh1 port (ie not in the "security" category) that installs a client (only) that supports SSHv1 only, and comes with a big red flashing "DANGER: INSECURE, DO NOT USE UNLESS YOU KNOW WHAT YOU ARE DOING" warning. --=20 Peter Jeremy --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJYkrH+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0wTEP/1z9CAyOtstYzjxVenu0fJE8 ilxAarYXI8B9RIMBNTvOFkgujxeMrHViAgBf3NkCnLGWD5/aYUK2hmlz9QjSYhuK eVf/8CKYRziXm95QxxlNu0fG4u0ZF7ZuQO7aTdAYWnP7dztF1m6RrBjVnbKsO26g fx4BLNlxGX8XfIjAghSF6j3WC5b3UusNYZkIuvRTUVa+4FhGGvixtqYqvFSFxmIA HT4aIqq2gjI0U3aqMo/j+91I8qKWrkCM+uiH/QSdxbnkiXyWTEOxuup+kc8nfzeA C9PHUpaq3r/1WUXQjgy6BEoLrBG2hYS++aDwK+55q6l8xf1k5CiauhbAwrGh+D5J G484ABgKaxrhdfM98b05WD3KMoe/7cVc48AcebQ6eU9lpsqJmXUPkANTPB8gdHQ/ Ygyg9Gj3kjdrC6c8cjdII3gZ62XxrDGRnrZtVN13PXLDbPOnXYPCcg+XXRHtEkG3 xpyf2GS+HVckE1Y8qj+ATdhGYBWcUIdSwbCCvo/E7R0xhtSw3dOgiCwFjt43CUqf ySEhOp5afBcLrTsf3pptgH9U9GFsm+HU32BClEUXDvfsQhBIhVUSEApsTCWsd76n +DsuL/VIpTXKNWNpnvhE8qDBhxy41ZIKWCMDM7pOYslVQsYAyQ2aVjsr12HJoEeF ZHMZylzAfHmsL/VRNLbp =ilCx -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- From owner-freebsd-security@freebsd.org Fri Feb 3 00:53:39 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED8E7CCCDC2 for ; Fri, 3 Feb 2017 00:53:39 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id BF773108A for ; Fri, 3 Feb 2017 00:53:39 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: by guelah.shrubbery.net (Postfix, from userid 7053) id C94A66BF57; Fri, 3 Feb 2017 00:53:31 +0000 (UTC) Date: Fri, 3 Feb 2017 00:53:31 +0000 From: heasley To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Cc: heasley , freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170203005331.GG8381@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> <86y3xqdxox.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86y3xqdxox.fsf@desk.des.no> X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. X-Claimation: an engineer needs a manager like a fish needs a bicycle X-reality: only YOU can put an end to the embarrassment that is Tom Cruise User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Fri, 03 Feb 2017 01:08:39 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 00:53:40 -0000 Wed, Feb 01, 2017 at 11:15:10AM +0100, Dag-Erling Smørgrav: > > i'm suggesting a port with a v1 client; that is built with all the other > > binary ports for abi changes and whatever else is reasonable. yes, i > > can build my own, but i feel it should be a port. > > You mean like net/tcpdump398, which was forked from net/tcpdump because > some people liked its output format better than that of tcpdump 4, and > then forgotten, and is known to have dozens of security vulnerabilities? I dont care what they do. They are consenting adults and could be told that the port is EoS and may have holes. seems like a different animal though; this isnt for fashion. I've transitioned everything that can be to sshv2, what remains is stuck in time. From owner-freebsd-security@freebsd.org Fri Feb 3 01:07:51 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50B03CBE44E for ; Fri, 3 Feb 2017 01:07:51 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id 27FFA1C9D for ; Fri, 3 Feb 2017 01:07:50 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 195A36BFA4; Fri, 3 Feb 2017 01:07:50 +0000 (UTC) Date: Fri, 3 Feb 2017 01:07:50 +0000 From: heasley To: Michael Toth Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170203010750.GH8381@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> <3d6298a5-bcea-4880-024e-56628308d8e2@queldor.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3d6298a5-bcea-4880-024e-56628308d8e2@queldor.net> X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. X-Claimation: an engineer needs a manager like a fish needs a bicycle X-reality: only YOU can put an end to the embarrassment that is Tom Cruise User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Fri, 03 Feb 2017 01:37:36 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 01:07:51 -0000 Tue, Jan 31, 2017 at 04:41:27PM -0500, Michael Toth: > There is a non-graphical port of putty (putty-nogtk) which installs plink That seems usable. thanks From owner-freebsd-security@freebsd.org Fri Feb 3 04:13:59 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4FECCCCD102 for ; Fri, 3 Feb 2017 04:13:59 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C12AAF29 for ; Fri, 3 Feb 2017 04:13:57 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v134Di8U032745; Fri, 3 Feb 2017 15:13:45 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 3 Feb 2017 15:13:44 +1100 (EST) From: Ian Smith To: heasley cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 In-Reply-To: <20170203005331.GG8381@shrubbery.net> Message-ID: <20170203143417.C33334@sola.nimnet.asn.au> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> <86y3xqdxox.fsf@desk.des.no> <20170203005331.GG8381@shrubbery.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 04:13:59 -0000 On Fri, 3 Feb 2017 00:53:31 +0000, heasley wrote: > Wed, Feb 01, 2017 at 11:15:10AM +0100, Dag-Erling Smørgrav: > > > i'm suggesting a port with a v1 client; that is built with all the other > > > binary ports for abi changes and whatever else is reasonable. yes, i > > > can build my own, but i feel it should be a port. > > > > You mean like net/tcpdump398, which was forked from net/tcpdump because > > some people liked its output format better than that of tcpdump 4, and > > then forgotten, and is known to have dozens of security vulnerabilities? > > I dont care what they do. They are consenting adults and could be told > that the port is EoS and may have holes. seems like a different animal > though; this isnt for fashion. I've transitioned everything that can be > to sshv2, what remains is stuck in time. Nobody 'forbids' you from making such a port, for your own use and/or for others. See Peter Jeremy's suggestion re where it might be placed and what sort of dire warnings it ought to announce; I expect SO and ports secteam would insist on nothing less. This differs from expecting|demanding|hoping somebody ELSE should do it. Anyway, you've got lots of time until FreeBSD 10 is no longer supported. cheers, Ian From owner-freebsd-security@freebsd.org Fri Feb 3 17:04:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0688CCEB90 for ; Fri, 3 Feb 2017 17:04:53 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id D531FDEF for ; Fri, 3 Feb 2017 17:04:53 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 131826B4D5; Fri, 3 Feb 2017 17:04:52 +0000 (UTC) Date: Fri, 3 Feb 2017 17:04:52 +0000 From: heasley To: Ian Smith Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <20170203170452.GA40078@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> <86y3xqdxox.fsf@desk.des.no> <20170203005331.GG8381@shrubbery.net> <20170203143417.C33334@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170203143417.C33334@sola.nimnet.asn.au> X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. X-Claimation: an engineer needs a manager like a fish needs a bicycle X-reality: only YOU can put an end to the embarrassment that is Tom Cruise User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Fri, 03 Feb 2017 17:46:47 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 17:04:54 -0000 Fri, Feb 03, 2017 at 03:13:44PM +1100, Ian Smith: > Nobody 'forbids' you from making such a port, for your own use and/or > for others. See Peter Jeremy's suggestion re where it might be placed > and what sort of dire warnings it ought to announce; I expect SO and > ports secteam would insist on nothing less. > > This differs from expecting|demanding|hoping somebody ELSE should do it. i've already explained why I think we (as in those needing it) building our own is a worse security approach. Its also a bit silly for all those folks to do it themselves; for the same reason that there are binary ports. i'll need to modify some code, but i'll try plink instead of maintaining my own. until then, i've built my own v1 openssh client. From owner-freebsd-security@freebsd.org Fri Feb 3 18:34:06 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02581CCFEBC for ; Fri, 3 Feb 2017 18:34:06 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from mail.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D695C1325 for ; Fri, 3 Feb 2017 18:34:05 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from ralph.baldwin.cx (c-73-231-226-104.hsd1.ca.comcast.net [73.231.226.104]) by mail.baldwin.cx (Postfix) with ESMTPSA id B366310A791; Fri, 3 Feb 2017 13:34:04 -0500 (EST) From: John Baldwin To: freebsd-security@freebsd.org Cc: heasley , Ian Smith Subject: Re: fbsd11 & sshv1 Date: Fri, 03 Feb 2017 10:33:49 -0800 Message-ID: <3966315.aWv9gWMYE6@ralph.baldwin.cx> User-Agent: KMail/4.14.10 (FreeBSD/11.0-STABLE; KDE/4.14.10; amd64; ; ) In-Reply-To: <20170203170452.GA40078@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <20170203143417.C33334@sola.nimnet.asn.au> <20170203170452.GA40078@shrubbery.net> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mail.baldwin.cx); Fri, 03 Feb 2017 13:34:04 -0500 (EST) X-Virus-Scanned: clamav-milter 0.99.2 at mail.baldwin.cx X-Virus-Status: Clean X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 18:34:06 -0000 On Friday, February 03, 2017 05:04:52 PM heasley wrote: > Fri, Feb 03, 2017 at 03:13:44PM +1100, Ian Smith: > > Nobody 'forbids' you from making such a port, for your own use and/or > > for others. See Peter Jeremy's suggestion re where it might be placed > > and what sort of dire warnings it ought to announce; I expect SO and > > ports secteam would insist on nothing less. > > > > This differs from expecting|demanding|hoping somebody ELSE should do it. > > i've already explained why I think we (as in those needing it) building > our own is a worse security approach. Its also a bit silly for all those > folks to do it themselves; for the same reason that there are binary ports. > > i'll need to modify some code, but i'll try plink instead of maintaining > my own. until then, i've built my own v1 openssh client. I think Ian is suggesting that a port is possible so long as someone will agree to maintain it. That is, if you will create and maintain the port then there will be a centralized package for it. The only trick is that someone who cares about sshv1 and will use the resulting package needs to create and maintain the port. -- John Baldwin From owner-freebsd-security@freebsd.org Sat Feb 4 04:19:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 653F7CD0DD4 for ; Sat, 4 Feb 2017 04:19:27 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp9.server.rpi.edu (smtp9.server.rpi.edu [128.113.2.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 351931C2C for ; Sat, 4 Feb 2017 04:19:26 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp-auth3.server.rpi.edu (route.canit.rpi.edu [128.113.2.233]) by smtp9.server.rpi.edu (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v144JKCo010025 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 3 Feb 2017 23:19:21 -0500 Received: from smtp-auth3.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth3.server.rpi.edu (Postfix) with ESMTP id 6E12F58069; Fri, 3 Feb 2017 23:19:20 -0500 (EST) Received: from [128.113.24.47] (gilead-qc124.netel.rpi.edu [128.113.124.17]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth3.server.rpi.edu (Postfix) with ESMTPSA id 5E6DE58006; Fri, 3 Feb 2017 23:19:20 -0500 (EST) From: "Garance A Drosehn" To: heasley Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Date: Fri, 03 Feb 2017 23:19:19 -0500 Message-ID: <54709047-AA32-47F2-8B2A-25524A2C2669@rpi.edu> In-Reply-To: <20170203170452.GA40078@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> <86y3xqdxox.fsf@desk.des.no> <20170203005331.GG8381@shrubbery.net> <20170203143417.C33334@sola.nimnet.asn.au> <20170203170452.GA40078@shrubbery.net> MIME-Version: 1.0 X-Mailer: MailMate (1.9.6r5319) X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 1.00 (*) [Hold at 10.10] PIPE_OBFUSCATION:1 X-CanIt-Incident-Id: 02SEsjknj X-CanIt-Geo: ip=128.113.124.17; country=US; region=New York; city=Troy; latitude=42.7495; longitude=-73.5951; http://maps.google.com/maps?q=42.7495,-73.5951&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.229 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Feb 2017 04:19:27 -0000 On 3 Feb 2017, at 12:04, heasley wrote: > Fri, Feb 03, 2017 at 03:13:44PM +1100, Ian Smith: >> Nobody 'forbids' you from making such a port, for your own use and/or >> for others. See Peter Jeremy's suggestion re where it might be placed >> and what sort of dire warnings it ought to announce; I expect SO and >> ports secteam would insist on nothing less. >> >> This differs from expecting|demanding|hoping somebody ELSE should do it. > > i've already explained why I think we (as in those needing it) building > our own is a worse security approach. Its also a bit silly for all > those folks to do it themselves; for the same reason that there are > binary ports. It is a perfectly reasonable idea to have a "net/ssh1" port in the official FreeBSD port collection, along the lines as Peter Jeremy suggested. We're not saying that each user should be forced to create their own. But if there is an official port in the FreeBSD ports collection, then it needs to be maintained by someone who actually cares about 'ssh1'. For instance, I suspect I could *create* such a port, but there is absolutely nothing that I (personally) need 'ssh1' for. Therefore I would never *use* the port, which means that the port would not really be supported. This isn't a good result for anyone. Even though you might *think* you're happy with the initial port, you might be pretty upset if it breaks after one month and I tell you that I have no time to fix it. At that point you'll be mad at me, personally, and I'm not likely to be happy with you, either. That's what we'd like to avoid. -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA