From owner-svn-src-all@freebsd.org  Sun Aug  7 17:37:36 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 520A4BB1ADB;
 Sun,  7 Aug 2016 17:37:36 +0000 (UTC)
 (envelope-from bms@fastmail.net)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
 [66.111.4.26])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 20DED11EC;
 Sun,  7 Aug 2016 17:37:35 +0000 (UTC)
 (envelope-from bms@fastmail.net)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.nyi.internal (Postfix) with ESMTP id D618120373;
 Sun,  7 Aug 2016 13:37:34 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute2.internal (MEProxy); Sun, 07 Aug 2016 13:37:35 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.net; h=cc
 :content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=WMXx16J6fepqXYFazWbqA7fWDhc=; b=KbZqQM
 r0So2S21UBcwk5dmGOBjjnjatubvZPLxPJBdIX8ym6TyYT/HFSKkXXuY+WsXPyEH
 sBqgbFlgrp5TY5kp+3fgjfb2A0H7Y+XHDS6x3i/G5QSwnUzL0sYfguKWrYaHt/GM
 3WiDeDgPS0eEW0M/aqt3HO3nWLceU61Ytrb9k=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=WMXx16J6fepqXYF
 azWbqA7fWDhc=; b=YE4M1Zy/y27i/2SDpQzrqvlfSBZoPkIhClHSJsYQ+wxHxZc
 OwL7ZYGCan2lQYBvRhfNi1cGEfTsEpUbGsqVi9ZfykwRrXlw482drU1LiJAUa3Xx
 u+hbBVTS0isPiTqEW48tZa0uZ+GMS9J4T7q/2YACLa7bimc/M0aHYvz9StD4=
X-Sasl-enc: gh6d/ACeXjbznhKO2S5a2O5Z/1yA6Wo5XWzBvnr7t0Yy 1470591454
Received: from pion.local (5751ac42.skybroadband.com [87.81.172.66])
 by mail.messagingengine.com (Postfix) with ESMTPA id 6F162CCD83;
 Sun,  7 Aug 2016 13:37:33 -0400 (EDT)
Subject: Re: svn commit: r303716 - head/crypto/openssh
To: Andrey Chernov <ache@freebsd.org>, Warner Losh <wlosh@bsdimp.com>
References: <201608031608.u73G8Mjq055909@repo.freebsd.org>
 <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net>
 <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net>
 <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com>
 <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net>
 <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org>
 <20160807125227.GC22212@zxy.spb.ru>
 <7237f5e6-fd65-a7e5-7751-4ed1c464b39a@freebsd.org>
 <4D28752C-0584-4294-9250-FA88B0C6E805@bsdimp.com>
 <c54673d0-8edd-b185-c86e-95a6aa6d0846@fastmail.net>
 <32b82f9f-7f78-6358-030a-90aed54bb8a8@freebsd.org>
 <0740b662-4a36-f834-229a-d16a5a6dde14@freebsd.org>
Cc: Slawa Olhovchenkov <slw@zxy.spb.ru>,
 Oliver Pinter <oliver.pinter@hardenedbsd.org>, svn-src-head@freebsd.org,
 svn-src-all@freebsd.org, src-committers@freebsd.org,
 =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@freebsd.org>
From: Bruce Simpson <bms@fastmail.net>
Message-ID: <950021bd-a6d3-7b6d-73fb-74fd9900b306@fastmail.net>
Date: Sun, 7 Aug 2016 18:37:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <0740b662-4a36-f834-229a-d16a5a6dde14@freebsd.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2016 17:37:36 -0000

On 07/08/16 18:34, Andrey Chernov wrote:
>>> Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which
>>> accepted the upstream change, workaround no-go)
>>>
>>> [2.3.2-RELEASE][root@gw.lab]/root: ssh -l admin
>>> -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX
>>> Fssh_ssh_dispatch_run_fatal: Connection to 192.168.1.XXX port 22: DH GEX
>>> group out of range
>> DH prime size must be at least 2048, openssh now refuse lower values.
>> Commonly used DH size 1024 can be easily broken. See https://weakdh.org
>>
> diffie-hellman-group1-sha1 use DH 1024 and insecure sha1 both.
>

I appreciate that, but what do I as a user do about it? My distribution 
has changed behaviour I rely on in an operational setting. My initial 
reaction is likely to be one of confusion, and general dismay.

I appreciate that this is done for security reasons, but it could take 
an arbitrarily long time for a lot of deployed hardware in current use 
to be updated.

(On the other hand, the introduction of, say ED25519 has been more 
gradual, and has tended to see uptake in e.g. Linux-based ARM products.)