Date: Mon, 20 Sep 2021 21:21:17 +0200 From: Mathieu Arnold <mat@freebsd.org> To: Eugene Grosbein <eugen@grosbein.net> Cc: Ed Maste <emaste@freebsd.org>, freebsd-security@freebsd.org Subject: Re: Important note for future FreeBSD base system OpenSSH update Message-ID: <20210920192117.ylaewdyxcjtl6rsb@aching.in.mat.cc> In-Reply-To: <e17ea9da-4a3b-a21f-2107-8b94e094974d@grosbein.net> References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com> <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU%2BRvcR=2L9YxA@mail.gmail.com> <CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw@mail.gmail.com> <e17ea9da-4a3b-a21f-2107-8b94e094974d@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--c6o5srltse6xawnc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote: > 10.09.2021 1:01, Ed Maste wrote: >=20 > > To check whether a server is using the weak ssh-rsa public key > > algorithm, for host authentication, try to connect to it after > > removing the ssh-rsa algorithm from ssh(1)'s allowed list: > >=20 > > ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > >=20 > > If the host key verification fails and no other supported host key > > types are available, the server software on that host should be > > upgraded. >=20 > I have some telco equipment (E1/SS7) based on custom Linux distro built b= y a vendor: >=20 > $ ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > Unable to negotiate with X.X.X.X port 22: no matching host key type found= =2E Their offer: ssh-rsa >=20 > I've already asked the vendor for possible upgrade and was told that no u= pgrade will be available. >=20 > Will I be able to use ssh_config and following command to re-enable the f= eature after planned import? >=20 > HostKeyAlgorithms ssh-rsa Same here, I have many telco and even switches and routers that only support ssh-rsa, will it be possible to use a ssh_config knob to enable it back? --=20 Mathieu Arnold --c6o5srltse6xawnc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEVhwchfRfuV0unqO5KesJApEdfgIFAmFI3yhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDU2 MUMxQzg1RjQ1RkI5NUQyRTlFQTNCOTI5RUIwOTAyOTExRDdFMDIACgkQKesJApEd fgKARg/9GwxP+aPnLsUo+ZjxRfKIaUmvUs0phVPSlOsfeIc7IADR6c/2pKufPxX1 Y6i8sFQXJAVf3+cqm0cwlBxonVZ63/rSzFT2l9rfB6xp5EIhe50yLhxJeEt7Vl3z ENGqki0IYOR21ziohja2rr9xz2nzlkZm27rUdkysODoqHkW0OESqMOMFl/lkdc/k uVAj1d1rac34yATtRgE0JSFFnlCJ+PeYotw5w5bh3TcvNsTy7Lhv1EP9S6AcE7S3 5Wa6/hooF++8TwJP6DyaV29l1mB1WBcVceELiUez+4/LyBNflTifY4pZv8E3F/TE Ua9l3wZMeFF0LCqWz0ZU7mNjjcP5bHIBbD43JZpUKqM1ndM0lpufO4K3DOqBr4P3 5BFii+H6r4sbH+mkUc1tIdWYFOYzAt2xicnYs+0AyBz40c1ewTsusB8rs73l3z0r E7qgHWKN7ivZAWvotGn1Rnc9sbfSCesYJU9XtOb3MouTfqNvF1eNPF2B8Jh/hsar 6ckyyqDJeW2YdV5IT1TNGLW0dLTboPI4w2mZBJ1P8P+W4ixSuCaCDHBtmSaeAx4M AQZAMOH6JkgRbwFR+HS4G0Sgx93f+7eAQRsloHQ45eTD6lu75pzT+zSJ5cN07lfZ FAkBzMfuTkfQOSKv2HRPH+eQUBpVPJDbb1TeG417uB/dX9ZYqFo= =4aHI -----END PGP SIGNATURE----- --c6o5srltse6xawnc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210920192117.ylaewdyxcjtl6rsb>