From owner-freebsd-security@freebsd.org Sun Sep 12 22:45:21 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E678967008B for ; Sun, 12 Sep 2021 22:45:21 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H74Sc72GXz3Jcg for ; Sun, 12 Sep 2021 22:45:20 +0000 (UTC) (envelope-from tomek@cedro.info) Received: by mail-oi1-x235.google.com with SMTP id n27so11736691oij.0 for ; Sun, 12 Sep 2021 15:45:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vYAzsOvSkDtY09GauuZ4zmpfCyzpMIiyAretCmwv66M=; b=V4iU+RNS36ncdF+ELeHuMREUHqPn2Fh2TL6EvNdfCjo0Lquw8HBnUtS2Mu/jcbUoWB HLuyBqftHZQgWrOzarrWBeW23q6ZBElhT4AIw9Kq2Ur1JxGI1KEsSqM44o9d0uNDvoaH HlyJCIAkFAHL/10jQZbXrYEwres+6YXODJEY30A5VecDOn728hV5sij0QzU4wHEzFKm8 n6YPTGZIW/iZwJliMLLV3TXFTQcc1PCHZ6ttTiEHzRtcynmCjAcQc/cCrA+cKb7RZeCS +b96DXngJNULTqMPn67A+kZhThsb1GovhN9oQi0uR2N05po+dfKlY2A9YjxZTrOOoiJt FgGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vYAzsOvSkDtY09GauuZ4zmpfCyzpMIiyAretCmwv66M=; b=qGYmM59tpkLaUlmAqTLmE7YkhlHoVCs7Z/L6+KdsRMUPHLsyKdkMGu6IzcjM3poKV4 bit8wJuTcAjQU+5yWxQl8/O9Zl3Ru9kNjr3h5jpOvSXJCR8l69N72vf86z9bAeXu7iFB Mi737DJ/bxXkvNpP5a/tWUC/p2gSNNDCfJ6ap0l0bnKdZOdrCkAGcrbb1oVqbbGaWpVS a9YXoBDFcMJ4iR+K5WN9Aj6z5uo6S/FHd3hIVm5DIAmo0aKYTduUeuSS0agFiXXwQ7KL EFHAAP5BufhxDhhg7wzbeTlCb5b/+u9hJNGxHcGCRmdZJt8tjqhVMQijnaVR5qyXbNH3 t/4A== X-Gm-Message-State: AOAM531kfyQKaM5u+ikNajxD+il5m+Wf0YRPtdyqcDYelfySCZWkzvno 7bHfeiSam3tkwb80OLdJr3VHmcVfGDCj5+FS2r19F1OH9ysVbg== X-Google-Smtp-Source: ABdhPJxHPKnpzvH8CQUDebrwV6Dhz0327ec3KbhDWM2CF+blEOccB2HYKRyUrdsEfh6cuYa0znoA5uAQ1b/IBQaKd+Q= X-Received: by 2002:a05:6808:487:: with SMTP id z7mr5636467oid.11.1631486720234; Sun, 12 Sep 2021 15:45:20 -0700 (PDT) MIME-Version: 1.0 References: <8169A4A8-B8D1-4265-87C8-74ED4D34FBC8@fasel.at> <2bb56783-2727-9bea-7810-58969d91c00f@denninger.net> <0c3a5f3c-fb07-fae3-22f3-28703c842deb@obluda.cz> In-Reply-To: <0c3a5f3c-fb07-fae3-22f3-28703c842deb@obluda.cz> From: Tomasz CEDRO Date: Mon, 13 Sep 2021 00:44:38 +0200 Message-ID: Subject: Re: Important note for future FreeBSD base system OpenSSH update To: Ed Maste Cc: freebsd-security , Gordon Tetlow , Karl Denninger , Dan Lukes Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4H74Sc72GXz3Jcg X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=V4iU+RNS; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2607:f8b0:4864:20::235) smtp.mailfrom=tomek@cedro.info X-Spamd-Result: default: False [-2.56 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; NEURAL_HAM_MEDIUM(-0.30)[-0.299]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[cedro.info]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; NEURAL_HAM_SHORT(-0.97)[-0.965]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::235:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Sep 2021 22:45:22 -0000 On Mon, Sep 13, 2021 at 12:11 AM Dan Lukes wrote: > On 12.9.2021 23:27, Gordon Tetlow via freebsd-security wrote: > > Blaming the browser and other client providers (OpenSSH, etc) for a > > problem that is 100% because the devices are now abandoned by the > > manufacturer is the wrong place to focus your anger. We have an > > enormous problem in the industry of crappy embedded devices (like the > > OOB management plane) accruing technical security debt while the > > manufacturers give "a middle finger back" as you say. The > > supportability of the hardware needs to be baked into the purchasing > > decision. Commitments from the manufacturers on supportability > > timeframes are important to understand and budget into a hardware > > refresh cycle. > > "One size fits all" may be acceptable approach for unskilled home users, > but not for professional use. The security mechanism may be secure > enough for particular use even if there are known issues with the method > in question. > > There may be a various reason to abandon particular method/algorithm but > don't claim it's for my security because it's just not true. If > particular algorithm is not secure enough for me I'm not using it > despite it's supported. If algorithm is the best for particular case > (it's why I'm using it) the removal will decrease overall security of > such system. In no case the security will be increased. > > We should avoid to make decisions on behalf of skilled security officer > familiar with particular use case. Hey Ed, It seem that some people are tied to old infrastructure. Fallback to Port (or custom Kernel / Base?) seems reasonable. Will there be any alternative solution after upgrade or people will be forced to leave FreeBSD? Things start to look dramatic :-) What is the best and worst case scenario of the change? Is it only Base or also Kernel change? Would it be possible to use custom build of OpenSSH server (i.e. from Ports) with old algorithm enabled so it could work in place of the one being upgraded in base? I can see this approach seems to work for various services and utilities. Port seems easiest way to provide alternative solution? That way we would have secure solution by default and less secure custom solution but still easy to maintain when there is no other choice? -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info