Date: Tue, 21 Sep 2021 15:16:59 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: freebsd-security@freebsd.org Cc: Mathieu Arnold <mat@freebsd.org>, Eugene Grosbein <eugen@grosbein.net>, Ed Maste <emaste@freebsd.org> Subject: Re: Important note for future FreeBSD base system OpenSSH update Message-ID: <202109211316.18LDGxtx007838@fire.js.berklix.net> In-Reply-To: Your message "Mon, 20 Sep 2021 21:21:17 %2B0200." <20210920192117.ylaewdyxcjtl6rsb@aching.in.mat.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
Mathieu Arnold wrote: > > On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote: > > 10.09.2021 1:01, Ed Maste wrote: > >=20 > > > To check whether a server is using the weak ssh-rsa public key > > > algorithm, for host authentication, try to connect to it after > > > removing the ssh-rsa algorithm from ssh(1)'s allowed list: > > >=20 > > > ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > > >=20 > > > If the host key verification fails and no other supported host key > > > types are available, the server software on that host should be > > > upgraded. > >=20 > > I have some telco equipment (E1/SS7) based on custom Linux distro built b= > y a vendor: > >=20 > > $ ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > > Unable to negotiate with X.X.X.X port 22: no matching host key type found= > =2E Their offer: ssh-rsa > >=20 > > I've already asked the vendor for possible upgrade and was told that no u= > pgrade will be available. > >=20 > > Will I be able to use ssh_config and following command to re-enable the f= > eature after planned import? > >=20 > > HostKeyAlgorithms ssh-rsa > > Same here, I have many telco and even switches and routers that only > support ssh-rsa, will it be possible to use a ssh_config knob to enable > it back? Same here. A mix of new & old hardware using ssh protocol on an internal net behind a firewall. Functionality required. Not pointless damage! So mark old protocols "less secure, better use .." & set defaults to newer, but do not erase working protocols; let users decide what's best in each case. Removal of old protocols to force users to force world's hardware vendors to all upgrade, & "Devil take the hindmost" is draconian ! Aside: An exmple of old hardware safe using old ssh behind a firewall: HP Network Scanjet with ADF - Converted to use FreeBSD-4.11, http://berklix.com/scanjet/ Works perfectly, FreeBSD 11 12 or 13 too big! Any old ssh sufficient for rdist6 & sftp etc. Siren voices to cripple ssh, would cripple use of old hardware, disrupt & waste other people's money, & dump more scrapped hardwarare on the planet. Think Green: Retain old protocols, but mark them less secure. Cheers, -- Julian Stacey http://berklix.com/jhs/ http://stolenvotes.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109211316.18LDGxtx007838>