Date: Sun, 7 Aug 2016 12:40:38 +0100 From: Bruce Simpson <bms@fastmail.net> To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> In-Reply-To: <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/08/16 11:58, Bruce Simpson wrote: > Is there a way to revert this change, at least on an ongoing operational > basis (e.g. configuration file) for those of us who use FreeBSD to > connect directly to such devices? I was able to override this (somewhat unilateral, to my mind) deprecation of the DH key exchange by using this option: -oKexAlgorithms=+diffie-hellman-group1-sha1 Obviously that is too much of a mouthful for day-to-day operational memory. I shudder to think how a novice SSH user, who is otherwise competent with network switches, is going to cope with this confusion. OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other reason) cipher suite is an ideologically sound move, but the road to hell is paved with good intentions. But surely the operational implications of this on people who use SSH on a daily basis could have been better thought out, given many of these devices cannot just magically be updated to stop using DH? As I've said this may not affect just Netonix devices, but a wide range of network devices which -- let's be frank -- be grateful they even have a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H. Strikes me as foot shooting. Just my 2c. Please, at least add a central knob for overriding this. pfSense took the change too. I couldn't log in to our local Netonix this morning (without booting up a Linux laptop), which violated POLA horribly for me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a01870a-d99d-13a2-54bd-01d32616263c>