From owner-svn-src-all@freebsd.org Sun Aug 7 11:43:56 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A12EBAEA25 for ; Sun, 7 Aug 2016 11:43:56 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C626C1245 for ; Sun, 7 Aug 2016 11:43:55 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-wm0-x236.google.com with SMTP id f65so80332681wmi.0 for ; Sun, 07 Aug 2016 04:43:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TNoLesTx90bO9VOAenonZMXYf0WqDGIJdClMtuhGQok=; b=ztm0wYhs1ltaR74o7Dp/c+dbyVSSICTEH9iM6UrMUE9WqOZr6nrxvU2AM6YbuhehxZ LYWA9ph+orYLfggy8h/aKtc5tPvFjA5e1/bP6WkaSlvuqBgJN/p4KNiCL/pVPIC1SrmQ Hu0ZbBgjaGZEgjQ45uFxSCmz/n1Z8ycjTekttnn+WHZMwSjTacCjonmkRohotmslbL0k CSajH/HRUPm5/Xi+a45jIDZ7MkPO0svTdB3B7Aqp4K9MmJsucafw7wbT2DfEMAtlV5kz gDoimYADxZXyqdhb61EjVB5u6LscZweURrF3GrkydJyO5q1noeUCXOxqdpgltxZh9Ksj W/8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TNoLesTx90bO9VOAenonZMXYf0WqDGIJdClMtuhGQok=; b=IVD+udAGHR4zd9TyoZDD4A9ckne/bJzQq7RuFS2tpTc39qXdlAfe7wNvF27oSoRe/C wZzeDNsIL2+Zf/rapRYr167S5WMbAaJExmPpqQ6Ext62ktxRXHDEZAV+90PmOdbM6C9g dqbij4w2hEbu8qzBE1aLu05WQA8xdvtAU/Edx3phqjflqYpvIOs83IBHeEEMnnih4LKo g3dQR0K6HcVqzcpBOtg/1sugQwno15mHAE+kZUywPVbrb90VaKsziScmaEn6/GtgCbo+ yY14SDvL6XHuOrCBUxKWXmPe1ygvwfdSWYSgWYj4Ho5+9l9BIvmWs6l56ZZvdSJ8Qkxs 3jkg== X-Gm-Message-State: AEkooutP1CG+t/ubQZbKaDH/i3oL6B/0tUMQMWUg2zY6I7A0pei530/OGSVTHyG20VZDev7aNrzOe87thc1jpRU+ X-Received: by 10.28.134.203 with SMTP id i194mr11515001wmd.22.1470570234324; Sun, 07 Aug 2016 04:43:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.73.99 with HTTP; Sun, 7 Aug 2016 04:43:53 -0700 (PDT) In-Reply-To: <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> From: Oliver Pinter Date: Sun, 7 Aug 2016 13:43:53 +0200 Message-ID: Subject: Re: svn commit: r303716 - head/crypto/openssh To: Bruce Simpson Cc: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 11:43:56 -0000 On 8/7/16, Bruce Simpson wrote: > On 07/08/16 11:58, Bruce Simpson wrote: >> Is there a way to revert this change, at least on an ongoing operational >> basis (e.g. configuration file) for those of us who use FreeBSD to >> connect directly to such devices? > > I was able to override this (somewhat unilateral, to my mind) > deprecation of the DH key exchange by using this option: > -oKexAlgorithms=+diffie-hellman-group1-sha1 You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > Obviously that is too much of a mouthful for day-to-day operational > memory. I shudder to think how a novice SSH user, who is otherwise > competent with network switches, is going to cope with this confusion. > > OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other > reason) cipher suite is an ideologically sound move, but the road to > hell is paved with good intentions. > > But surely the operational implications of this on people who use SSH on > a daily basis could have been better thought out, given many of these > devices cannot just magically be updated to stop using DH? > > As I've said this may not affect just Netonix devices, but a wide range > of network devices which -- let's be frank -- be grateful they even have > a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H. > > Strikes me as foot shooting. Just my 2c. > > Please, at least add a central knob for overriding this. pfSense took > the change too. I couldn't log in to our local Netonix this morning > (without booting up a Linux laptop), which violated POLA horribly for me. > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" >