From owner-svn-src-head@freebsd.org  Fri Jan 22 21:43:36 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9CCFA8D25B;
 Fri, 22 Jan 2016 21:43:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id A4B13154D;
 Fri, 22 Jan 2016 21:43:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [IPv6:::1])
 by freefall.freebsd.org (Postfix) with ESMTP id 9F1BB1606;
 Fri, 22 Jan 2016 21:43:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [172.31.3.2])
 by mail.xzibition.com (Postfix) with ESMTP id 411AE173F2;
 Fri, 22 Jan 2016 21:43:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail.xzibition.com
Received: from mail.xzibition.com ([172.31.3.2])
 by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new,
 port 10026)
 with LMTP id aR59EaHLEkFc; Fri, 22 Jan 2016 21:43:28 +0000 (UTC)
Subject: Re: svn commit: r294495 - in head: . crypto/openssh
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 45DBB173E8
To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>,
 Conrad Meyer <cem@FreeBSD.org>
References: <201601211110.u0LBAEI1081858@repo.freebsd.org>
 <CAG6CVpXXadnEJt+=tjiyhpk04LtTeiAoOqYeTn2-bsxwJjmTAw@mail.gmail.com>
 <86r3hauf88.fsf@desk.des.no>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
From: Bryan Drewery <bdrewery@FreeBSD.org>
Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF;
 url=http://www.shatow.net/bryan/bryan2.asc
X-Enigmail-Draft-Status: N1110
Organization: FreeBSD
Message-ID: <56A2A27A.2020801@FreeBSD.org>
Date: Fri, 22 Jan 2016 13:43:22 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <86r3hauf88.fsf@desk.des.no>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="wexRdwDKvMP6NhI77DGT11bdOpuw3jvCB"
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 21:43:36 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--wexRdwDKvMP6NhI77DGT11bdOpuw3jvCB
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 1/22/2016 1:37 AM, Dag-Erling Sm=C3=B8rgrav wrote:
> Conrad Meyer <cem@FreeBSD.org> writes:
>> Are we going to maintain DSA key support after upstream deprecates it
>> entirely?  And why?
>=20
> I am not aware of any plans to remove DSA support.  It has simply been
> disabled in the default run-time configuration - unlike, for instance,
> libwrap, which was removed entirely, and SSHv1, which needs to be
> enabled at compile time.  I understand that decision (although I
> disagree with their justification, or at least the way it was worded),
> but we still have users who use DSA keys and who will be locked out of
> their systems if we disable DSA without sufficient advance warning.  I
> will look into what steps can be taken to deprecate DSA without causing=

> our users too much inconvenience.
>=20
> DES
>=20

I've used these in sshd_config and ssh_config to restore some removed
functionality:

Ciphers +blowfish-cbc,arcfour,aes128-cbc,3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
PubkeyAcceptedKeyTypes +ssh-dss,ssh-dss-cert-v01@openssh.com
HostkeyAlgorithms +ssh-dss,ssh-dss-cert-v01@openssh.com

Maintaining these in the default config would be simpler and allow users
to more easily remove them, but not give them a working upgrade. I'm not
sure if these support '-' to disable them. On the otherhand we can just
put these lines in the release notes and UPDATING so we are
secure-by-default.

--=20
Regards,
Bryan Drewery


--wexRdwDKvMP6NhI77DGT11bdOpuw3jvCB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJWoqKFAAoJEDXXcbtuRpfP7pEIAKoDon0W6p4IXTJj27d0fLoP
O7g5+6FQ8D4rbDuN66fpqP6eX4QvPM2ZKD3+QJl0CIRiss3sOoCxoP8bR9U3GmVd
k/1fjpr13LQiItleGndxVoso1g8ZhRCLFMpZDVdHuRQy4KGU1wIgFcPrR70BTMub
3uFW51NKgFiQ+Q8WPaA5dgMsW1Qkpn4p1nVMIoVhdPGnQ2nYxsatUp5ALEdFrgOg
yQQLqF0by+qAEbB9TlCbnXfZqkYMAyvlXwLIK5EZWqAFTPnr0awtTSU/mjF7Galf
udX8lB0eKHodnNxJ9a5h2bUuD/3+uN7aMR0gsyyylUZXA1x5BKWP8O5NC+qT5gk=
=X8Y2
-----END PGP SIGNATURE-----

--wexRdwDKvMP6NhI77DGT11bdOpuw3jvCB--