Date: Fri, 11 Apr 2025 09:02:24 -0400 From: mike tancsa <mike@sentex.net> To: Brooks Davis <brooks@freebsd.org>, "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: Ed Maste <emaste@freebsd.org>, freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-ID: <7995ed42-80a4-422e-82bf-4b9bf79ed192@sentex.net> In-Reply-To: <Z_h9MXD8D_UAZon6@spindle.one-eyed-alien.net> References: <CAPyFy2Dk0VoqLPSHxTLzBCWT_ouqU_kj4QNhN17VybMinbr6bA@mail.gmail.com> <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> <CAPyFy2DAk8wx34gEJs7L94NykyMDBzAjLo9TwQOa_SPVvEFQ3A@mail.gmail.com> <p992nn1n-p9n2-s64o-9666-o5on62nnor7s@yvfgf.mnoonqbm.arg> <Z_h9MXD8D_UAZon6@spindle.one-eyed-alien.net>
index | next in thread | previous in thread | raw e-mail
On 4/10/2025 10:23 PM, Brooks Davis wrote: > On Thu, Apr 10, 2025 at 10:24:49PM +0000, Bjoern A. Zeeb wrote: >> Is there any chance to keep an openssh (client) port (possibly with known >> security risks)? > It seems like it would be reasonable to keep a copy of the 9.8 client > around more or less indefinitely. Ideally tracking what ever fixes the > longest lived, open Linux LTS is applying. > > Similarly we have an openssl-unsafe for connecting to old gear. > > I may be mistaken, but I believe security/putty's upstream takes the > maximum compatibility approach. If I'm correct, people may want to > switch to it for these needs. > > For a security/openssh98 or similar we might want to do something I for one GREATLY appreciate FreeBSD's commitment and thoughtfulness around POLA through the years, but I think this is a case where having a separate legacy DSA supporting ssh client is a reasonable path to take for those who need it (I include myself in that list). I think it makes maintaining OpenSSH a little less brittle through minimizing the divergence in code from upstream. ---Mikehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7995ed42-80a4-422e-82bf-4b9bf79ed192>