From owner-svn-src-head@freebsd.org Sun Aug 7 12:52:37 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 94044BB06F1; Sun, 7 Aug 2016 12:52:37 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 56ACB193A; Sun, 7 Aug 2016 12:52:37 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bWNZ5-000HgL-In; Sun, 07 Aug 2016 15:52:27 +0300 Date: Sun, 7 Aug 2016 15:52:27 +0300 From: Slawa Olhovchenkov To: Andrey Chernov Cc: Bruce Simpson , Oliver Pinter , svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Dag-Erling =?utf-8?B?U23DuHJncmF2?= Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <20160807125227.GC22212@zxy.spb.ru> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 12:52:37 -0000 On Sun, Aug 07, 2016 at 03:25:54PM +0300, Andrey Chernov wrote: > On 07.08.2016 14:59, Bruce Simpson wrote: > > On 07/08/16 12:43, Oliver Pinter wrote: > >>> I was able to override this (somewhat unilateral, to my mind) > >>> deprecation of the DH key exchange by using this option: > >>> -oKexAlgorithms=+diffie-hellman-group1-sha1 > >> > >> You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > > > Can this at least be added (commented out, if you really want to enforce > > this policy on users out-of-the-box) to the former file in FreeBSD > > itself? And a note added to UPDATING? > > > > Otherwise, it's almost as though those behind the change are assuming > > that users will just know exactly what to do in their operational > > situation. That's a good way to cause problems for folk using FreeBSD in > > IT operations. > > > > (systemd epitomises this kind of foot shooting.) > > > > I understand already - you want to deprecate a set of key exchanges, and > > believe in setting an example - but the rest of the world might not be > > ready for that just yet. > > > > You should address your complains to original openssh author instead, it > was his decision to get rid of weak algos. In my personal opinion, if > your hardware is outdated, just drop it out. Hardware outdated by outdated main function, not by outdated ssh upstream. > We can't turn our security > team into compatibility team, by constantly restoring removed code, such > code quickly becomes outdated and may add new security holes even being > inactive. What is security hole by present this ciphers in _client_?