Date: Wed, 01 Feb 2017 14:37:41 -0700 From: Brett Glass <brett@lariat.org> To: Piotr Kubaj <pkubaj@anongoth.pl>, freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <201702012138.OAA15630@mail.lariat.net> In-Reply-To: <20170201121121.GA75931@chujemuje> References: <mailman.41.1485950400.51630.freebsd-security@freebsd.org> <20170201121121.GA75931@chujemuje>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:11 AM 2/1/2017, Piotr Kubaj via freebsd-security wrote: >We shouldn't forbid people to shoot themselves in their heads. If >someone needs it, they should get, especially since it won't >require much maintainance. >Just repocopy the port and mark as deprecated and vulnerable next >time there's a CVE in OpenSSH. Perhaps it would be best if the SSHv1 code were encapsulated in a library which could be used to access perfectly good equipment for which new software/firmware is not being developed. This would keep the code, whatever its quality, out of the main SSH codebase but still make it possible to access vital gear as needed. My company has equipment that would cost more than we could afford to replace that runs only SSHv1, and is well protected from attacks by other means (such as firewalls and VPNs). It's perfectly safe to use SSHv1 with it, and a darned sight safer than devolving to Telnet. Just as it's useful to have a way of accessing devices that use SSLv3 (we maintain browsers specifically for that purpose), it pays to have a way to get at an embedded device that will never support versions of SSH beyond v1. --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702012138.OAA15630>