From owner-freebsd-security@freebsd.org  Thu Feb  2 04:41:13 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7AA98CCDB6B
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu,  2 Feb 2017 04:41:13 +0000 (UTC)
 (envelope-from peter@rulingia.com)
Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.rulingia.com",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 066701A3C
 for <freebsd-security@freebsd.org>; Thu,  2 Feb 2017 04:41:12 +0000 (UTC)
 (envelope-from peter@rulingia.com)
Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net
 [59.167.167.3])
 by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id v124DvUR012945
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Thu, 2 Feb 2017 15:14:03 +1100 (AEDT)
 (envelope-from peter@rulingia.com)
X-Bogosity: Ham, spamicity=0.000000
Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1])
 by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id v124DpuK017932
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Thu, 2 Feb 2017 15:13:51 +1100 (AEDT)
 (envelope-from peter@server.rulingia.com)
Received: (from peter@localhost)
 by server.rulingia.com (8.15.2/8.15.2/Submit) id v124DooO017931;
 Thu, 2 Feb 2017 15:13:50 +1100 (AEDT) (envelope-from peter)
Date: Thu, 2 Feb 2017 15:13:50 +1100
From: Peter Jeremy <peter@rulingia.com>
To: heasley <heas@shrubbery.net>
Cc: freebsd-security@freebsd.org
Subject: Re: fbsd11 & sshv1
Message-ID: <20170202041350.GA17877@server.rulingia.com>
References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no>
 <20170130195226.GD73060@shrubbery.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4"
Content-Disposition: inline
In-Reply-To: <20170130195226.GD73060@shrubbery.net>
X-PGP-Key: http://www.rulingia.com/keys/peter.pgp
User-Agent: Mutt/1.7.2 (2016-11-26)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 04:41:13 -0000


--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2017-Jan-30 19:52:26 +0000, heasley <heas@shrubbery.net> wrote:
>Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Sm=C3=B8rgrav:
>> heasley <heas@shrubbery.net> writes:
>> > So, what is the BCP to support a v1 client for outbound connections on=
 fbsd
>> > 11?  Hopefully one that I do not need to maintain by building a specia=
l ssh
>> > from ports.  Is there a pkg that I'm missing?
>>=20
>> FreeBSD 10 supports SSHv1 and will continue to do so.  FreeBSD 11 and 12
>> do not, and neither does the openssh-portable port.  I'm afraid you will
>> have to find some other SSH client.
>
>That is sad; I doubt that I am the only one who would need this - there
>are millions of Cisco, HP, and etc network devices that folks must continue
>to access but will never receive new firmware with sshv2.  It takes a long
>time for some equipment to transition to the recycle bin - even after
>vendor EOLs.

I firmly support the removal of SSHv1 from FreeBSD base.  OTOH, I realise
that there may be reasons why old equipment is retained far longer than
desirable and agree that SSHv1 has some benefits over TELNET.

My suggestion is that someone=E2=84=A2 who has a pressing need for a SSHv1 =
client
creates a net/ssh1 port (ie not in the "security" category) that installs a
client (only) that supports SSHv1 only, and comes with a big red flashing
"DANGER: INSECURE, DO NOT USE UNLESS YOU KNOW WHAT YOU ARE DOING" warning.

--=20
Peter Jeremy

--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJYkrH+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux
NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0wTEP/1z9CAyOtstYzjxVenu0fJE8
ilxAarYXI8B9RIMBNTvOFkgujxeMrHViAgBf3NkCnLGWD5/aYUK2hmlz9QjSYhuK
eVf/8CKYRziXm95QxxlNu0fG4u0ZF7ZuQO7aTdAYWnP7dztF1m6RrBjVnbKsO26g
fx4BLNlxGX8XfIjAghSF6j3WC5b3UusNYZkIuvRTUVa+4FhGGvixtqYqvFSFxmIA
HT4aIqq2gjI0U3aqMo/j+91I8qKWrkCM+uiH/QSdxbnkiXyWTEOxuup+kc8nfzeA
C9PHUpaq3r/1WUXQjgy6BEoLrBG2hYS++aDwK+55q6l8xf1k5CiauhbAwrGh+D5J
G484ABgKaxrhdfM98b05WD3KMoe/7cVc48AcebQ6eU9lpsqJmXUPkANTPB8gdHQ/
Ygyg9Gj3kjdrC6c8cjdII3gZ62XxrDGRnrZtVN13PXLDbPOnXYPCcg+XXRHtEkG3
xpyf2GS+HVckE1Y8qj+ATdhGYBWcUIdSwbCCvo/E7R0xhtSw3dOgiCwFjt43CUqf
ySEhOp5afBcLrTsf3pptgH9U9GFsm+HU32BClEUXDvfsQhBIhVUSEApsTCWsd76n
+DsuL/VIpTXKNWNpnvhE8qDBhxy41ZIKWCMDM7pOYslVQsYAyQ2aVjsr12HJoEeF
ZHMZylzAfHmsL/VRNLbp
=ilCx
-----END PGP SIGNATURE-----

--YiEDa0DAkWCtVeE4--