From owner-svn-src-all@freebsd.org Sun Aug 7 12:25:59 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3CFDBB0057 for ; Sun, 7 Aug 2016 12:25:59 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f48.google.com (mail-lf0-f48.google.com [209.85.215.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 622D61AF9 for ; Sun, 7 Aug 2016 12:25:58 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f48.google.com with SMTP id b199so230985241lfe.0 for ; Sun, 07 Aug 2016 05:25:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=BTZQGZ+m+bzAQFFmIVdAmEWzlntZOrn9hD/PckltQd4=; b=mIW5GV2r5zPuPNCVYLtn1bQbRXKGhzgaxy4rhWVPG6Kh2rMfLmfEU2tp1vOs680mnr 0vTEm8M8042m3zOIbFVZlUtynUKIrWsdDzDWWdwV/x44si8AnpNXIShacs0gLkIaiEgg fd0gpwGD/EolxCye3SvBEa3G5bOBvKDt7udfZCuDXtrv4vSWrPmqYdHGyjSD2jmb0Q91 bBRrO50TUWZwuUgKvUpOOC1COyKmq1IP/m1FCMuvD2Q+/FxhbvL6cHOOHU8J9W8lu2oo 1rEKqy5Fe3ybYC6juOtERKu+cPrX9WX3JksBHU511QQMIKo5QVlqfgCSMS8SQS6cVFBF jYLA== X-Gm-Message-State: AEkoouvlwAWoygcidQuLp+pG3b69WQUxCo0mYAUbBLPTTNiyao+j/i4eiw9LAclIBsJ1eA== X-Received: by 10.25.84.132 with SMTP id i126mr21613072lfb.116.1470572756467; Sun, 07 Aug 2016 05:25:56 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id 85sm4752833ljf.6.2016.08.07.05.25.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Aug 2016 05:25:55 -0700 (PDT) Subject: Re: svn commit: r303716 - head/crypto/openssh To: Bruce Simpson , Oliver Pinter References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org From: Andrey Chernov Message-ID: <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> Date: Sun, 7 Aug 2016 15:25:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 12:25:59 -0000 On 07.08.2016 14:59, Bruce Simpson wrote: > On 07/08/16 12:43, Oliver Pinter wrote: >>> I was able to override this (somewhat unilateral, to my mind) >>> deprecation of the DH key exchange by using this option: >>> -oKexAlgorithms=+diffie-hellman-group1-sha1 >> >> You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > Can this at least be added (commented out, if you really want to enforce > this policy on users out-of-the-box) to the former file in FreeBSD > itself? And a note added to UPDATING? > > Otherwise, it's almost as though those behind the change are assuming > that users will just know exactly what to do in their operational > situation. That's a good way to cause problems for folk using FreeBSD in > IT operations. > > (systemd epitomises this kind of foot shooting.) > > I understand already - you want to deprecate a set of key exchanges, and > believe in setting an example - but the rest of the world might not be > ready for that just yet. > You should address your complains to original openssh author instead, it was his decision to get rid of weak algos. In my personal opinion, if your hardware is outdated, just drop it out. We can't turn our security team into compatibility team, by constantly restoring removed code, such code quickly becomes outdated and may add new security holes even being inactive.