From owner-freebsd-current@freebsd.org Wed Nov 11 23:33:26 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3389DA2CF96; Wed, 11 Nov 2015 23:33:26 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F9A71948; Wed, 11 Nov 2015 23:33:24 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074423-f797f6d0000023d0-04-5643cf0fb423 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 9F.F9.09168.F0FC3465; Wed, 11 Nov 2015 18:28:15 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id tABNSERP010994; Wed, 11 Nov 2015 18:28:14 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tABNSAqx029612 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Nov 2015 18:28:13 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tABNSAPh027634; Wed, 11 Nov 2015 18:28:10 -0500 (EST) Date: Wed, 11 Nov 2015 18:28:10 -0500 (EST) From: Benjamin Kaduk To: Daniel Kalchev cc: "freebsd-current@freebsd.org" , "freebsd-security@freebsd.org" Subject: kereros telnet/rlogin/etc. (was Re: OpenSSH HPN) In-Reply-To: <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> Message-ID: References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111075930.GR65715@funkthat.com> <546376BD-A2E7-4B73-904E-4F33DD82401E@digsys.bg> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkleLIzCtJLcpLzFFi42IRYrdT1+U/7xxmcPIpr8XVDwcYLea8+cBk 0bPpCZsDs8el5X9YPGZ8ms8SwBTFZZOSmpNZllqkb5fAlfFw/Qa2glVcFY/fyzYw7ufoYuTk kBAwkTjwdQozhC0mceHeerYuRi4OIYHFTBInvp1ggXA2Mkq8f9LOCuEcYpJYd2kiO4TTwCjx qf0eC0g/i4C2xPKJ19hBbDYBFYmZbzaygdgiAqoSl46eBetmFmhnlJi3dRYjSEJYwFJi85dl YDangK3E94YmsEN4BRwltr2ZANYsJHCBSeLrcX8QW1RAR2L1/iksEDWCEidnPgGyOYCGBkrc OmU4gVFwFpLMLIQMSJhZQF2i8cFZNghbW+L+zTa2BYwsqxhlU3KrdHMTM3OKU5N1i5MT8/JS i3TN9HIzS/RSU0o3MYJD3EV5B+Ofg0qHGAU4GJV4eCfMdA4TYk0sK67MPcQoycGkJMorfwIo xJeUn1KZkVicEV9UmpNafIhRgoNZSYQ3YB5QjjclsbIqtSgfJiXNwaIkzrvpB1+IkEB6Yklq dmpqQWoRTFaGg0NJgvfSWaBGwaLU9NSKtMycEoQ0EwcnyHAeoOHS50CGFxck5hZnpkPkTzEq SonzHgZpFgBJZJTmwfWCU9BuJtVXjOJArwjzvgSp4gGmL7juV0CDmYAGf5FwAhlckoiQkmpg lGOb+mbnthcs86Xn3BGWu+//+ubnfI+uSV+6td9s6lBddy9Vp7r34v99Nyau3vk3sF7vzQ4G Lgfx/2s9Wk9wSLg2evQbOIq7xuSGyIlM+P9y/0u5hh33pymbqNpPebpBNsPG8Mba86XbKh0d Xl9kyfZocF91ZYP+t/cT6/59bY7m/cF4mP3YBSWW4oxEQy3mouJEAJV7fRocAwAA Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 23:33:26 -0000 On Wed, 11 Nov 2015, Daniel Kalchev wrote: > > Perhaps similar level of security could be achieved by =E2=80=9Cthe old t= ools=E2=80=9D > if they were by default compiled with Kerberos. Although, this still > requires building additional infrastructure. The kerberized versions of the old tools are basically unsupported upstream at this point. Telnet is actively insecure, being limited to single-DES; rlogin may be somewhat better but it's still not looking very good. ssh is better because it speaks GSS-API instead of raw kerberos, and can thus keeps up with newer crypto automatically. When I was working at MIT, I considered making a final release of the krb5-appl distribution, so as to include in the release announcement that they were not going to be supported further, but could not even bring myself to do that. They are not in Debian anymore, and I expect them to dwindle from other distributions, too. Let the "old tools" grow old and retire. -Ben From owner-freebsd-current@freebsd.org Wed Nov 11 23:56:10 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36F48A2C5FD; Wed, 11 Nov 2015 23:56:10 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E5FC71648; Wed, 11 Nov 2015 23:56:09 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZwfFG-000Bqg-FP; Thu, 12 Nov 2015 02:56:06 +0300 Date: Thu, 12 Nov 2015 02:56:06 +0300 From: Slawa Olhovchenkov To: Bryan Drewery Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151111235606.GF48728@zxy.spb.ru> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <56438660.5010508@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <56438660.5010508@FreeBSD.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 23:56:10 -0000 On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote: > On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote: > > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote: > > > >> Bryan Drewery writes: > >>> Another thing that I did with the port was restore the tcpwrapper > >>> support that upstream removed. Again, if we decide it is not worth > >>> keeping in base I will remove it as default in the port. > >> > >> I want to keep tcpwrapper support - it is another reason why I still > >> haven't upgraded OpenSSH, but to the best of my knowledge, it is far > >> less intrusive than HPN. > > > > Can you explain what is problem? > > I am see openssh in base and openssh in ports (more recent version) > > with same functionaly patches. > > You talk about trouble to upgrade. What is root? > > openssh in base have different vendor and/or license? > > Or something else? > > > > PS: As I today know, kerberos heimdal is practicaly dead as opensource > > project. Have FreeBSD planed switch to MIT Kerberos? > > I am know about security/krb5. > > > > IMHO the problem comes down to time. Patching an upstream project > increases maintenance cost for upgrading it. Every patch adds up. When > you become busy and don't have time to pay attention to every little > change made in a release, hearing 'removed tcpwrappers support' or > 'refactored the code for libssh usage' makes it sound like 1 more > thing you must deal with to upgrade that code base and more effort to > validate that your patches are right. We obviously don't want to just > drop in the latest code and throw it out there as broken. SSH is quite > critical and we want to ensure our changes are still right, and that > doing something like adding tcpwrappers back in won't introduce some > security bug that upstream was coy about. Some for as ports version? Or ports version different? Or port mantainer have more time (this is not to blame for DES)? I am just don't know what is different between port ssh and base ssh. We need ssh 6.x in base, not 7.x as in port (why?) and this is need independed work on pathes? I am missing somehow commonplace for others.