From owner-freebsd-security@freebsd.org Tue Sep 21 13:17:13 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C283A6731B1 for ; Tue, 21 Sep 2021 13:17:13 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) by mx1.freebsd.org (Postfix) with ESMTP id 4HDMQw6bRzz4gfl; Tue, 21 Sep 2021 13:17:12 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p4fc4cd5f.dip0.t-ipconnect.de [79.196.205.95]) (authenticated bits=128) by land.berklix.org (8.15.2/8.15.2) with ESMTPA id 18LDH5aI029123; Tue, 21 Sep 2021 13:17:06 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id 18LDH0VP087473; Tue, 21 Sep 2021 15:17:00 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.16.1/8.16.1) with ESMTP id 18LDGxtx007838; Tue, 21 Sep 2021 15:16:59 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <202109211316.18LDGxtx007838@fire.js.berklix.net> To: freebsd-security@freebsd.org cc: Mathieu Arnold , Eugene Grosbein , Ed Maste Subject: Re: Important note for future FreeBSD base system OpenSSH update From: "Julian H. Stacey" Organization: http://berklix.com/jhs/ User-agent: EXMH on FreeBSD http://berklix.com/free/ X-From: http://www.berklix.org/~jhs/ In-reply-to: Your message "Mon, 20 Sep 2021 21:21:17 +0200." <20210920192117.ylaewdyxcjtl6rsb@aching.in.mat.cc> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <7836.1632230219.1@fire.js.berklix.net> Date: Tue, 21 Sep 2021 15:16:59 +0200 X-Rspamd-Queue-Id: 4HDMQw6bRzz4gfl X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jhs@berklix.com has no SPF policy when checking 144.76.10.75) smtp.mailfrom=jhs@berklix.com X-Spamd-Result: default: False [-1.99 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jhs]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.993]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[berklix.com]; AUTH_NA(1.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:144.76.0.0/16, country:DE]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[79.196.205.95:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Sep 2021 13:17:13 -0000 Mathieu Arnold wrote: > > On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote: > > 10.09.2021 1:01, Ed Maste wrote: > >=20 > > > To check whether a server is using the weak ssh-rsa public key > > > algorithm, for host authentication, try to connect to it after > > > removing the ssh-rsa algorithm from ssh(1)'s allowed list: > > >=20 > > > ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > > >=20 > > > If the host key verification fails and no other supported host key > > > types are available, the server software on that host should be > > > upgraded. > >=20 > > I have some telco equipment (E1/SS7) based on custom Linux distro built b= > y a vendor: > >=20 > > $ ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > > Unable to negotiate with X.X.X.X port 22: no matching host key type found= > =2E Their offer: ssh-rsa > >=20 > > I've already asked the vendor for possible upgrade and was told that no u= > pgrade will be available. > >=20 > > Will I be able to use ssh_config and following command to re-enable the f= > eature after planned import? > >=20 > > HostKeyAlgorithms ssh-rsa > > Same here, I have many telco and even switches and routers that only > support ssh-rsa, will it be possible to use a ssh_config knob to enable > it back? Same here. A mix of new & old hardware using ssh protocol on an internal net behind a firewall. Functionality required. Not pointless damage! So mark old protocols "less secure, better use .." & set defaults to newer, but do not erase working protocols; let users decide what's best in each case. Removal of old protocols to force users to force world's hardware vendors to all upgrade, & "Devil take the hindmost" is draconian ! Aside: An exmple of old hardware safe using old ssh behind a firewall: HP Network Scanjet with ADF - Converted to use FreeBSD-4.11, http://berklix.com/scanjet/ Works perfectly, FreeBSD 11 12 or 13 too big! Any old ssh sufficient for rdist6 & sftp etc. Siren voices to cripple ssh, would cripple use of old hardware, disrupt & waste other people's money, & dump more scrapped hardwarare on the planet. Think Green: Retain old protocols, but mark them less secure. Cheers, -- Julian Stacey http://berklix.com/jhs/ http://stolenvotes.uk