From owner-svn-src-all@freebsd.org Sun Aug 7 11:59:31 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 438FEBAEDE5; Sun, 7 Aug 2016 11:59:31 +0000 (UTC) (envelope-from bms@fastmail.net) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1798518DC; Sun, 7 Aug 2016 11:59:30 +0000 (UTC) (envelope-from bms@fastmail.net) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 8A8B3202C9; Sun, 7 Aug 2016 07:59:29 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Sun, 07 Aug 2016 07:59:29 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=ix4oJnCHoTFZEYRrs5YiFrFOubM=; b=dBri/K PB8XoXsyMuQaVQT7VTGezjbdtfmsT+iA/+EdhGr2d0S0sPNmGgkejXdAuV3uH9R0 67fLLPxnyFqhwPwy4MepbiPJKMuMQ1krpzDqVpFCUZEwBgGVzsLGxNiCyamo6LGA rNKJAUGqG8onGc+wt6lJnqustIYIUtrXddmdU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=ix4oJnCHoTFZEYR rs5YiFrFOubM=; b=IXgHIcp0lUSA0HNcxZ5cs1SwciUAlf4vZ3MqQ5r6zdc+cqz GCKTze3ZEK6PBZEd33QKnFYX2zD/wU+eBbSzQFjckVhsUk8xwOBoKj7sHO8Kc3XN WtYWRVUAQ28xXT9bi37mmoWKjUIm1lbnyQRiafZ0SajW2OfE8e0M6Z4Kqv8I= X-Sasl-enc: g7B3pwxhlIgcKCnTe5fJdo7w/mnEmmiT+wjgQxrE7H/T 1470571169 Received: from pion.local (5751ac42.skybroadband.com [87.81.172.66]) by mail.messagingengine.com (Postfix) with ESMTPA id 88BF1F2985; Sun, 7 Aug 2016 07:59:28 -0400 (EDT) Subject: Re: svn commit: r303716 - head/crypto/openssh To: Oliver Pinter References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org From: Bruce Simpson Message-ID: Date: Sun, 7 Aug 2016 12:59:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 11:59:31 -0000 On 07/08/16 12:43, Oliver Pinter wrote: >> I was able to override this (somewhat unilateral, to my mind) >> deprecation of the DH key exchange by using this option: >> -oKexAlgorithms=+diffie-hellman-group1-sha1 > > You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. Can this at least be added (commented out, if you really want to enforce this policy on users out-of-the-box) to the former file in FreeBSD itself? And a note added to UPDATING? Otherwise, it's almost as though those behind the change are assuming that users will just know exactly what to do in their operational situation. That's a good way to cause problems for folk using FreeBSD in IT operations. (systemd epitomises this kind of foot shooting.) I understand already - you want to deprecate a set of key exchanges, and believe in setting an example - but the rest of the world might not be ready for that just yet.