From owner-freebsd-security@freebsd.org Tue Jan 31 10:49:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 483C4CC9656 for ; Tue, 31 Jan 2017 10:49:53 +0000 (UTC) (envelope-from terje@elde.net) Received: from mx.serverlauget.no (mx.serverlauget.no [IPv6:2a01:4f8:200:34a4::1:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.serverlauget.no", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 142EA1B5 for ; Tue, 31 Jan 2017 10:49:52 +0000 (UTC) (envelope-from terje@elde.net) Received: from [192.168.202.158] (66.85-200-224.bkkb.no [85.200.224.66]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: terje@elde.net) by smtp.serverlauget.no (Postfix) with ESMTPSA id 298C96A8D; Tue, 31 Jan 2017 10:49:20 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: fbsd11 & sshv1 From: Terje Elde In-Reply-To: <20170130195226.GD73060@shrubbery.net> Date: Tue, 31 Jan 2017 11:49:44 +0100 Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <320E35B3-7200-4804-928C-686657FCDFBE@elde.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> To: heasley X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2017 10:49:53 -0000 > On 30 Jan 2017, at 20:52, heasley wrote: >=20 > That is sad; I doubt that I am the only one who would need this - = there > are millions of Cisco, HP, and etc network devices that folks must = continue > to access but will never receive new firmware with sshv2. It takes a = long > time for some equipment to transition to the recycle bin - even after > vendor EOLs. I get your point, but there are other ways to go about this. The right way to go about it would IMHO be fairly simple: If you have few boxes, bin them. If they=E2=80=99re not getting = firmware updates, ssh v1 isn=E2=80=99t your only problem. If you have too many critical or expensive boxes to make that practical, = you can probably afford a Soekris, Raspberry Pi or similar, that you can = keep at FreeBSD 10, and use as a jump host. Which you should probably = have anyway, if your equipment is no longer getting updates. Either way; problem solved, and relatively cleanly so. =E2=80=9CWe have that crud over there, so we must keep this crud over = here=E2=80=9D really isn=E2=80=99t the way to move security forward, = especially not when better solutions are easily available. SSH2 has = been around for a decade now, it=E2=80=99s time to let go of SSH1, at = least in primary systems. Terje