From owner-freebsd-security@freebsd.org Tue Jan 31 06:11:43 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3D71CC9B8F for ; Tue, 31 Jan 2017 06:11:42 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C0607E81 for ; Tue, 31 Jan 2017 06:11:42 +0000 (UTC) (envelope-from jungleboogie0@gmail.com) Received: by mail-pf0-x22f.google.com with SMTP id 189so100512420pfu.3 for ; Mon, 30 Jan 2017 22:11:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=NkGqnuL//V6zu6Tx/xvITpkYq51ARxup88z7Bu9P/sk=; b=nRsNuaAduiL5OZF1eM0vwZ8LO5OXHiL04xPdo4jIc2uBx41ykBge9R4dZ6zqtkHGih qiK9RC0VtjnCQfXyactO3WEEoatiXOT3rTxl5I0QQdzPIbSGcpYDmwbyu71GOlDlWDNB inGTdEnw+EFPZ5ctPvSdcx1IKW07FUAig8G5XOFgGArGC6fVjZuuXmM4HPjMAIGnUzjk WrywJQw1rcfffds2e/HUZD+zy/5HRCsk0m6Ef+cdII38L1Rj135irliXZ7bzC+W/jY/p xwdsUkX/cduzGn6XLOcRmgNfWLAwQMbcYUX1DvB8JN+6ut8kDn0xgvFDlUXwjOPETG8V BE9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=NkGqnuL//V6zu6Tx/xvITpkYq51ARxup88z7Bu9P/sk=; b=W2xH5S0RkDDtglJVYAdPgMhQaRNeM7ExtgMApFB6wxc7+C2WsfN7kFKeTQ0EkYLKV1 bYm5fAZJgYHkbIc+TiXqviQ66zKgSj5So2x+tHyu7iF5W/dAGi/exjFnKL7G/1vZxkqg CWg6TvBg75fTfdXwxQmeeI5Q3Xq47gEnTMGp+m5SEdqKrptY+MZv0qZtPhl6F8FBXlJT hfpvzc/FPoELrhnysDZezMoi9efdVjvOCUmeLN+iOX5OiwkX6CmKSvYJrdwZRZqUgxBD oyeTxTWP8RC3AnaYU2vv7pdGIcddizWTe9+zF+oDEMZMG5K+sWWz4V5EjzL0xXIjzMmg IMwg== X-Gm-Message-State: AIkVDXL55yBUvmNSu0MDuG/k6rBINFUj7sUFGSyaTQ4zj8MtSSg/WNB+/TgWoMD9KEHExA== X-Received: by 10.84.228.194 with SMTP id y2mr5729169pli.156.1485843102194; Mon, 30 Jan 2017 22:11:42 -0800 (PST) Received: from ?IPv6:2600:8801:2a04:2200:9219:b518:c758:ea36? ([2600:8801:2a04:2200:9219:b518:c758:ea36]) by smtp.gmail.com with ESMTPSA id u124sm37474824pgb.6.2017.01.30.22.11.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Jan 2017 22:11:41 -0800 (PST) Subject: Re: fbsd11 & sshv1 To: Heasley References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <20170130222443.GL73060@shrubbery.net> <0A1A9F5A-0102-4FED-9B82-E081C29103AD@shrubbery.net> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , freebsd-security@freebsd.org From: jungle boogie Message-ID: Date: Mon, 30 Jan 2017 22:11:39 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <0A1A9F5A-0102-4FED-9B82-E081C29103AD@shrubbery.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 06:11:43 -0000 On 01/30/2017 09:36 PM, Heasley wrote: >>> whats wrong with providing a 7.4+v1 port for everyone to use? >> >> What will happen when 7.4 gets a vulnerability, then? I don't think >> you or I will be patching it (or anyone else) and therefore, the >> port/pkg will be knowingly vulnerable. >> >> Why do we want that? > > So you ate advocating telnet? Such a client is likely better still than telnet, which is the only alternative. > No, I've explained what I've advocated: compile 7.4 yourself and use if for your own needs. Having FreeBSD keep deprecated software around doesn't seem practical to me, and it seems this is also what FreeBSD security also believes. Sorry that you're working with legacy hardware. > Without a pkg, folks are forced to maintain it themselves. Which is more likely to receive less attention between now and EoS for v1? > > Dont make choices for or impose your rhetoric upon others, provide them the tools to make their choices. > Fact: I'm not imposing anything as I have no say in FreeBSD's security at all. FWIW, in May 2016 it the openssh team announced their intentions to disable ssh v1: http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-May/035069.html It also looks like they pushed the deprecation from June to August as well. Looks like ssh v1 was disabled at compile time in March 2015: http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033701.html So unsurprisingly, it looks like they've communicated the desire to remove sshv1 for awhile.