Date: Thu, 10 Apr 2025 12:41:17 -0400 From: Ed Maste <emaste@freebsd.org> To: Jan Bramkamp <crest@rlwinm.de> Cc: freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-ID: <CAPyFy2DAk8wx34gEJs7L94NykyMDBzAjLo9TwQOa_SPVvEFQ3A@mail.gmail.com> In-Reply-To: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> References: <CAPyFy2Dk0VoqLPSHxTLzBCWT_ouqU_kj4QNhN17VybMinbr6bA@mail.gmail.com> <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de>
index | next in thread | previous in thread | raw e-mail
On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp <crest@rlwinm.de> wrote: > > As long as it's "only" a compile-time option away for FreeBSD to enable > this flawed cipher I would like to have it compiled in by default so it > doesn't require installing SSH from ports to connect to some stupid old > router/switch/UPS/whatever over SSH. As long as it won't negotiate that > cipher with the default configuration that's safe enough for my needs. > > TL;DR: Please keep it enabled it at compile-time, but configured > disabled. FreeBSD shouldn't require recompiling the base system to > connect to older embedded devices. It's a compile-time option in 9.9 and earlier. As of 10.0 the configure infrastructure has been removed but the source hasn't yet been deleted. I expect that will happen soon though. We'll keep DSA available, at least in stable branches, as long as it's reasonably convenient and safe to do so, but won't patch it back in once the source is removed.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2DAk8wx34gEJs7L94NykyMDBzAjLo9TwQOa_SPVvEFQ3A>