Date: Sun, 7 Aug 2016 13:43:53 +0200 From: Oliver Pinter <oliver.pinter@hardenedbsd.org> To: Bruce Simpson <bms@fastmail.net> Cc: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <des@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com> In-Reply-To: <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/7/16, Bruce Simpson <bms@fastmail.net> wrote: > On 07/08/16 11:58, Bruce Simpson wrote: >> Is there a way to revert this change, at least on an ongoing operational >> basis (e.g. configuration file) for those of us who use FreeBSD to >> connect directly to such devices? > > I was able to override this (somewhat unilateral, to my mind) > deprecation of the DH key exchange by using this option: > -oKexAlgorithms=+diffie-hellman-group1-sha1 You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > Obviously that is too much of a mouthful for day-to-day operational > memory. I shudder to think how a novice SSH user, who is otherwise > competent with network switches, is going to cope with this confusion. > > OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other > reason) cipher suite is an ideologically sound move, but the road to > hell is paved with good intentions. > > But surely the operational implications of this on people who use SSH on > a daily basis could have been better thought out, given many of these > devices cannot just magically be updated to stop using DH? > > As I've said this may not affect just Netonix devices, but a wide range > of network devices which -- let's be frank -- be grateful they even have > a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H. > > Strikes me as foot shooting. Just my 2c. > > Please, at least add a central knob for overriding this. pfSense took > the change too. I couldn't log in to our local Netonix this morning > (without booting up a Linux laptop), which violated POLA horribly for me. > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ>