From nobody Thu Apr 10 16:41:17 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYQZ4744fz5t8XF for ; Thu, 10 Apr 2025 16:41:32 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYQZ34HNjz41hl for ; Thu, 10 Apr 2025 16:41:31 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.178 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com Received: by mail-il1-f178.google.com with SMTP id e9e14a558f8ab-3cf82bd380bso7433025ab.0 for ; Thu, 10 Apr 2025 09:41:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744303289; x=1744908089; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=s0l/sUSgord6CJJXVkrmUjQaE7llB6L0VBcqm7NU7rQ=; b=Y/GLo+9eGl3RI12CmBm9SsZbTLnOxhfOSbc0xyoOenQT6shIxQoSQuqI1J0JYPGs3h 7Obg2tHv4y5clrxNWlLzy3T+uLnNfnCkF8wAciIKvHBGpSiM887hFHKDCe/7VlAYsTaz AX4TTNEcCWJiE2ET4HjG5sy4nTDYY5t1rH6PNc+AVAF0/MGgmNuRylED3/f+4aHA/Z2n 4lB/Uce2JNaq67XgKALpbBUujUwcPp4nJ7cvGf9mOOmObXnmfTbZ1DfySyvdJsVvHgDR G5dSvFZ1INrf+IKSdWipsJnrq9iWXPvin2YdLOkj/qQ/Dray8ZZOfIvJhd6KZljaQHJs rJAA== X-Gm-Message-State: AOJu0YzW6O5DUTQioAargPUf9QzZmWgu9T7w9OMLxW6/xA/xfPhZjfx+ 29t5TGdfSDzZzmUcmPP2P6B10moqA7mzVNYYP92iMvokP6T2ovH+0VL2lYxdbLoWZu3yKqPVjuu bFdmd/oXMgakJ6zBP3MU0rNE/pXQexA== X-Gm-Gg: ASbGncuLL7Ig6vLIUKq2oYXbjsOVG/GSQw8DpSnLpFuxxgfcKW8Yc12ihopDwe8bvmO 8ql8oVv8laA9T7oiNNsSoo2o0fGifveR3fiP9udf05xlQNSJUxqJIr+pejIgFcPspJg40aaBrye eIULm/Q+feJskwny1kEwHgN7o3NNor87V4eBD95fY2h4fQ1mCOKVg2dx1dNxXrQHgR/FU= X-Google-Smtp-Source: AGHT+IFXukk8LsGrlqNrK4GJDLylGb3ycNPDxEKoEMIrdiJUmxftaGuxnwUHBUa1AUeoKtzVzY8MYnQYN6mbu8uMyzY= X-Received: by 2002:a05:6e02:3:b0:3d4:3fed:81f7 with SMTP id e9e14a558f8ab-3d7e4782225mr42031805ab.19.1744303289239; Thu, 10 Apr 2025 09:41:29 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> In-Reply-To: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> From: Ed Maste Date: Thu, 10 Apr 2025 12:41:17 -0400 X-Gm-Features: ATxdqUEkK9k7Tm7qxnUkc0cgxQO9vt6Wqt1aCXifZ8X-SX_qEResTd7hVwHmsOo Message-ID: Subject: Re: Heads-up: DSA key support being removed from OpenSSH To: Jan Bramkamp Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [1.11 / 15.00]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_SPAM_LONG(0.98)[0.983]; NEURAL_HAM_SHORT(-0.97)[-0.970]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[carpeddiem]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.178:from]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.178:from]; R_DKIM_NA(0.00)[]; MISSING_XM_UA(0.00)[]; RBL_SENDERSCORE_REPUT_8(0.00)[209.85.166.178:from]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZYQZ34HNjz41hl X-Spamd-Bar: + On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp wrote: > > As long as it's "only" a compile-time option away for FreeBSD to enable > this flawed cipher I would like to have it compiled in by default so it > doesn't require installing SSH from ports to connect to some stupid old > router/switch/UPS/whatever over SSH. As long as it won't negotiate that > cipher with the default configuration that's safe enough for my needs. > > TL;DR: Please keep it enabled it at compile-time, but configured > disabled. FreeBSD shouldn't require recompiling the base system to > connect to older embedded devices. It's a compile-time option in 9.9 and earlier. As of 10.0 the configure infrastructure has been removed but the source hasn't yet been deleted. I expect that will happen soon though. We'll keep DSA available, at least in stable branches, as long as it's reasonably convenient and safe to do so, but won't patch it back in once the source is removed.