Date: Fri, 22 Jan 2016 13:43:22 -0800 From: Bryan Drewery <bdrewery@FreeBSD.org> To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>, Conrad Meyer <cem@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r294495 - in head: . crypto/openssh Message-ID: <56A2A27A.2020801@FreeBSD.org> In-Reply-To: <86r3hauf88.fsf@desk.des.no> References: <201601211110.u0LBAEI1081858@repo.freebsd.org> <CAG6CVpXXadnEJt%2B=tjiyhpk04LtTeiAoOqYeTn2-bsxwJjmTAw@mail.gmail.com> <86r3hauf88.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wexRdwDKvMP6NhI77DGT11bdOpuw3jvCB Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 1/22/2016 1:37 AM, Dag-Erling Sm=C3=B8rgrav wrote: > Conrad Meyer <cem@FreeBSD.org> writes: >> Are we going to maintain DSA key support after upstream deprecates it >> entirely? And why? >=20 > I am not aware of any plans to remove DSA support. It has simply been > disabled in the default run-time configuration - unlike, for instance, > libwrap, which was removed entirely, and SSHv1, which needs to be > enabled at compile time. I understand that decision (although I > disagree with their justification, or at least the way it was worded), > but we still have users who use DSA keys and who will be locked out of > their systems if we disable DSA without sufficient advance warning. I > will look into what steps can be taken to deprecate DSA without causing= > our users too much inconvenience. >=20 > DES >=20 I've used these in sshd_config and ssh_config to restore some removed functionality: Ciphers +blowfish-cbc,arcfour,aes128-cbc,3des-cbc KexAlgorithms +diffie-hellman-group1-sha1 PubkeyAcceptedKeyTypes +ssh-dss,ssh-dss-cert-v01@openssh.com HostkeyAlgorithms +ssh-dss,ssh-dss-cert-v01@openssh.com Maintaining these in the default config would be simpler and allow users to more easily remove them, but not give them a working upgrade. I'm not sure if these support '-' to disable them. On the otherhand we can just put these lines in the release notes and UPDATING so we are secure-by-default. --=20 Regards, Bryan Drewery --wexRdwDKvMP6NhI77DGT11bdOpuw3jvCB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWoqKFAAoJEDXXcbtuRpfP7pEIAKoDon0W6p4IXTJj27d0fLoP O7g5+6FQ8D4rbDuN66fpqP6eX4QvPM2ZKD3+QJl0CIRiss3sOoCxoP8bR9U3GmVd k/1fjpr13LQiItleGndxVoso1g8ZhRCLFMpZDVdHuRQy4KGU1wIgFcPrR70BTMub 3uFW51NKgFiQ+Q8WPaA5dgMsW1Qkpn4p1nVMIoVhdPGnQ2nYxsatUp5ALEdFrgOg yQQLqF0by+qAEbB9TlCbnXfZqkYMAyvlXwLIK5EZWqAFTPnr0awtTSU/mjF7Galf udX8lB0eKHodnNxJ9a5h2bUuD/3+uN7aMR0gsyyylUZXA1x5BKWP8O5NC+qT5gk= =X8Y2 -----END PGP SIGNATURE----- --wexRdwDKvMP6NhI77DGT11bdOpuw3jvCB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56A2A27A.2020801>