From owner-svn-src-head@freebsd.org Mon Aug 8 18:36:37 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 475BCBB2F08; Mon, 8 Aug 2016 18:36:37 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp9.server.rpi.edu (gateway.canit.rpi.edu [128.113.2.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C0C51670; Mon, 8 Aug 2016 18:36:36 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp-auth1.server.rpi.edu (route.canit.rpi.edu [128.113.2.231]) by smtp9.server.rpi.edu (8.14.4/8.14.4/Debian-8) with ESMTP id u78IVMH2020646 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 8 Aug 2016 14:31:22 -0400 Received: from smtp-auth1.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth1.server.rpi.edu (Postfix) with ESMTP id 321E0580E0; Mon, 8 Aug 2016 14:31:22 -0400 (EDT) Received: from [128.113.24.47] (gilead-qc124.netel.rpi.edu [128.113.124.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth1.server.rpi.edu (Postfix) with ESMTPSA id 1CA79580AD; Mon, 8 Aug 2016 14:31:22 -0400 (EDT) From: "Garance A Drosehn" To: "Bruce Simpson" Cc: "Dag-Erling =?utf-8?q?Sm=C3=B8rgrav?=" , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r303716 - head/crypto/openssh Date: Mon, 08 Aug 2016 14:31:21 -0400 Message-ID: <34A651B4-CFE1-4AAF-89D2-8A66F2EC8F27@rpi.edu> In-Reply-To: <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> MIME-Version: 1.0 X-Mailer: MailMate (1.9.4r5234) X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 0.00 () [Hold at 10.10] X-CanIt-Incident-Id: 02RsGvmQg X-CanIt-Geo: ip=128.113.124.17; country=US; region=New York; city=Troy; latitude=42.7495; longitude=-73.5951; http://maps.google.com/maps?q=42.7495,-73.5951&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.229 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 18:36:37 -0000 On 7 Aug 2016, at 7:40, Bruce Simpson wrote: > On 07/08/16 11:58, Bruce Simpson wrote: >> Is there a way to revert this change, at least on an ongoing >> operational basis (e.g. configuration file) for those of us who >> use FreeBSD to connect directly to such devices? > > I was able to override this (somewhat unilateral, to my mind) > deprecation of the DH key exchange by using this option: > -oKexAlgorithms=+diffie-hellman-group1-sha1 If I understand the issues, the biggest concern with this change is for people who need ssh clients to connect to ancient hardware. Perhaps we could reduce the pain of this change by creating a special port for ssh. One which installs a version of openssh that does not include this change, and which also does not include sshd. In addition, it could install ssh/scp under some alternate names, such that people would have to explicitly request 'ssh-2015' (instead of 'ssh') to execute this older version of ssh. (I suspect that we should not call the binaries 'ssh-old' and 'scp-old', as those names will not work well for a long-term option). *That* port would remain frozen in time, and would (probably) not import any updates from future versions of openssh. The only goal of this port is to give people a way to access hardware that they cannot access with the newer version of openssh. It is not some new fork of ssh which will track future improvements to openssh. This ssh-2015 version might need some updates of it's own, but only wrt default configuration settings, and maybe so it will recognize some special configuration options that the main ssh will ignore. [aside: we have some machines here at RPI which are old enough that I already have an alternate-version of ssh to connect to them, so this tactic is nothing new to me! Kinda sad, really...] -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA