Date: Tue, 31 Jan 2017 11:49:44 +0100 From: Terje Elde <terje@elde.net> To: heasley <heas@shrubbery.net> Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>, freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <320E35B3-7200-4804-928C-686657FCDFBE@elde.net> In-Reply-To: <20170130195226.GD73060@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 30 Jan 2017, at 20:52, heasley <heas@shrubbery.net> wrote: >=20 > That is sad; I doubt that I am the only one who would need this - = there > are millions of Cisco, HP, and etc network devices that folks must = continue > to access but will never receive new firmware with sshv2. It takes a = long > time for some equipment to transition to the recycle bin - even after > vendor EOLs. I get your point, but there are other ways to go about this. The right way to go about it would IMHO be fairly simple: If you have few boxes, bin them. If they=E2=80=99re not getting = firmware updates, ssh v1 isn=E2=80=99t your only problem. If you have too many critical or expensive boxes to make that practical, = you can probably afford a Soekris, Raspberry Pi or similar, that you can = keep at FreeBSD 10, and use as a jump host. Which you should probably = have anyway, if your equipment is no longer getting updates. Either way; problem solved, and relatively cleanly so. =E2=80=9CWe have that crud over there, so we must keep this crud over = here=E2=80=9D really isn=E2=80=99t the way to move security forward, = especially not when better solutions are easily available. SSH2 has = been around for a decade now, it=E2=80=99s time to let go of SSH1, at = least in primary systems. Terje
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?320E35B3-7200-4804-928C-686657FCDFBE>