From owner-freebsd-security@freebsd.org Mon Sep 13 00:07:38 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2BAC7671255 for ; Mon, 13 Sep 2021 00:07:38 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4H76HX2qszz3v8m for ; Mon, 13 Sep 2021 00:07:36 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id AEDFC3200786; Sun, 12 Sep 2021 20:07:28 -0400 (EDT) Received: from imap44 ([10.202.2.94]) by compute4.internal (MEProxy); Sun, 12 Sep 2021 20:07:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=dDuh7a7xi/gOgPrjRzLGUrGknXAF yH5kYcdh8b4Y7f8=; b=GZVgbqwsuDVPXidtnz87iCyYF/lDs2X6vMklbZJmbweI Id6lDfJQFgncDsS4Tql163ko0uVJQNFrU8lDzanU6zqt07W/WJSOsQVvdJUBRl5A JrshTk48Y3JMzC/OywfTlh0N+D1TCNp/WAlfjWaHhWLqzqwBNp4NNvxHQYqUmmKe scjU7/m0rph61OELOUPVCPcB81fJMAAjnL1+mwlgyWV26r3wEkos67A0azks7n3H soAW8R0fXP2xXG7vb42h5BdekG5M6ywIEV0sbONbwIo3vkafmB+O0OeqQh9M2j6p CNp9HtWVUaUJ3H+TURTHSYR66FLvgF9qpHoF+OWLEg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=dDuh7a 7xi/gOgPrjRzLGUrGknXAFyH5kYcdh8b4Y7f8=; b=tNSZwQXUBhfhvraxB5OqWs m6zxT0N9FFw2u5SoXuN2D1aw5KSN8wr+TSN62T0ZLfc3oCpNIEzb7OZAqTHtBqLM 6w+yMLmSDuIKZ8kvrAdJSwhHnR8o3mCZD7vcUl4EW2/8qUV8loemHHSY7eZXOAke +KhFtmxa67pHJYsP7aBCcVyIbebLSC28U15C+iSh+w+EVqnZanuL9sSP/QzEGxh6 o5XRaGBUfqk9ufRzEpyUBEfV76i5YLYbeQNgx3r/aNjs6C2p1L9NfW0E5zlRQkCE uexZmPZnxHrt07yU4ABmAjk09LEcO210mZU7jGnOwmcAXYnpWdrx3VGNmWyT9YYQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudegiedgfeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdffrghv vgcuvehothhtlhgvhhhusggvrhdfuceouggthhesshhkuhhnkhifvghrkhhsrdgrtheqne cuggftrfgrthhtvghrnhepkefffedvfeetkeffgefgffdvfeeugfeuhffhhfdufedvtefg ieelueejffehvdejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgrth X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 09119FA0AA5; Sun, 12 Sep 2021 20:07:26 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-1229-g7ca81dfce5-fm-20210908.005-g7ca81dfc Mime-Version: 1.0 Message-Id: In-Reply-To: References: <8169A4A8-B8D1-4265-87C8-74ED4D34FBC8@fasel.at> <2bb56783-2727-9bea-7810-58969d91c00f@denninger.net> <0c3a5f3c-fb07-fae3-22f3-28703c842deb@obluda.cz> Date: Mon, 13 Sep 2021 00:07:06 +0000 From: "Dave Cottlehuber" To: "Tomasz CEDRO" , "Dan Lukes" Cc: freebsd-security , "Gordon Tetlow" , "Karl Denninger" Subject: Re: Important note for future FreeBSD base system OpenSSH update Content-Type: text/plain X-Rspamd-Queue-Id: 4H76HX2qszz3v8m X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=GZVgbqws; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=tNSZwQXU; dmarc=none; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 64.147.123.19 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-3.59 / 15.00]; XM_UA_NO_VERSION(0.01)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm3,messagingengine.com:s=fm3]; FREEFALL_USER(0.00)[dch]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[skunkwerks.at]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.19:from]; MAILMAN_DEST(0.00)[freebsd-security]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2021 00:07:38 -0000 > > > Blaming the browser and other client providers (OpenSSH, etc) for a > > > problem that is 100% because the devices are now abandoned by the > > > manufacturer is the wrong place to focus your anger. We have an > > > enormous problem in the industry of crappy embedded devices (like the Obviously just my humble opinion, but FreeBSD should, for new releases, turn the security *UP* to 11. No harm with knobs in installers, release notes, pointing out how to turn it down to 0 again. But it's 2020 now, and with hindsight, we see the long term cumulative effects of small poor security choices across the industry. If you refuse, or can't, upgrade the other infrastructure, and I totally respect that for a host of reasons, then don't upgrade this one either. Or stick a pi zero jump host in the middle (5$ maybe) to cater for this case if you want new shiny secure here, and old compat there. Where possible, we should enable easy backward compatibility. But, if like OpenSSH (or OpenSSL) if you need stuff that simply isn't acceptable anymore in a modern secure by default OS, then please don't drag the rest of FreeBSD back. By all means step up and help maintain ports that facilitate this use case! As dropbear only addded ed25519 keys in 2020, this is probbably a very suitable candidate for that. The argument that we will lose users "because backward compatibility" is equally as valid as "because insecure defaults that fail audits". Which is to say, not at all valid. The very definition of a straw man argument. Let's not sweep under the rug the very real effort and security risk that we introduce in favour of eternal backwards compatibility. If you *need* SSH 1.0, or TLS 1.1, or whatever the non-secure thing is, just DON'T UPGRADE. Just stay on 11.x or 12.x (supported to 2024), or worst case, install a jail or VM just for this. Or, do the work, help maintain an ever increasing swathe of patches to re-add what has been removed. But we all know that this path is both painful, and introduces security risks. I'd like less CVEs in my life. just my 0.05c for the other positions in this thread. A+ Dave