From owner-freebsd-security@freebsd.org  Tue Sep 14 01:07:48 2021
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 231C46AE2DA
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue, 14 Sep 2021 01:07:48 +0000 (UTC)
 (envelope-from dewayne@heuristicsystems.com.au)
Received: from heuristicsystems.com.au (hermes.heuristicsystems.com.au
 [203.41.22.115])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2560 bits) client-digest SHA256)
 (Client CN "hermes.heuristicsystems.com.au",
 Issuer "Heuristic Systems Type 4 Host CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4H7lZV0tCCz3nJ8
 for <freebsd-security@freebsd.org>; Tue, 14 Sep 2021 01:07:45 +0000 (UTC)
 (envelope-from dewayne@heuristicsystems.com.au)
Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0)
 by heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 18E1691F082287
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
 for <freebsd-security@freebsd.org>; Tue, 14 Sep 2021 11:06:10 +1000 (AEST)
 (envelope-from dewayne@heuristicsystems.com.au)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=heuristicsystems.com.au; s=hsa; t=1631581570; x=1632186371;
 bh=LNFKERTFKdMCggqtzko0k8CUgRMkuJabcZRhk7+A7UU=;
 h=Subject:To:From:Message-ID:Date;
 b=Xd62BiwJdHeK7QhyRDIaU+gZ7f9GH6ilFHz5kEMQwmcAB+lgHLstWTdwqnBkfJ0DG
 x+rWN8t5Cnpy9PFf82dl+dzPh2YrBz47lyZbs9LOWSfblqb2QzUQN3C5xycrxjLSOI
 PgMpPhBKSqcZmRTSykk6e5CPffTxPostuC450nZrlBMucL+Y0j5mE
X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be
 [10.0.5.3]
Subject: Re: Important note for future FreeBSD base system OpenSSH update
To: freebsd-security@freebsd.org
References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com>
 <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU+RvcR=2L9YxA@mail.gmail.com>
 <CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw@mail.gmail.com>
 <8169A4A8-B8D1-4265-87C8-74ED4D34FBC8@fasel.at>
From: Dewayne Geraghty <dewayne@heuristicsystems.com.au>
Message-ID: <85d1dffc-729e-bb8c-32f8-46b452705fcd@heuristicsystems.com.au>
Date: Tue, 14 Sep 2021 11:06:10 +1000
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <8169A4A8-B8D1-4265-87C8-74ED4D34FBC8@fasel.at>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
X-Rspamd-Queue-Id: 4H7lZV0tCCz3nJ8
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=Xd62BiwJ;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au
 designates 203.41.22.115 as permitted sender)
 smtp.mailfrom=dewayne@heuristicsystems.com.au
X-Spamd-Result: default: False [-4.25 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx]; HAS_XAW(0.00)[];
 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; TO_DN_NONE(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from];
 DKIM_TRACE(0.00)[heuristicsystems.com.au:+];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa];
 FROM_HAS_DN(0.00)[];
 DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
 DMARC_NA(0.00)[heuristicsystems.com.au];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_SHORT(0.95)[0.955];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 MAILMAN_DEST(0.00)[freebsd-security]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 01:07:48 -0000

Thank-you Ed, for providing a window for discussion.

As much as I strongly agree with Dave Cottlehuber , there is sadly a
pragmatic dimension.  So, off by default goes some way to improve the
world, but folk do appear to need to be able to connect to "antique"
equipment that they have no mechanism to upgrade (perhaps call for an
ISO27001 audit? ;) ).  We really don't want to loose FreeBSDers for this.

Minor point -  your ssh command line was helpful as it confirmed
connectivity to an older FreeBSD9.1 system (still in use from 2014)
using ed25519, and finally, to clarify that putty 0.75 (from May 2021)
uses rsa-sha256; current version is 0.76, per
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html