Date: Sun, 7 Aug 2016 15:25:54 +0300 From: Andrey Chernov <ache@freebsd.org> To: Bruce Simpson <bms@fastmail.net>, Oliver Pinter <oliver.pinter@hardenedbsd.org> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> In-Reply-To: <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com> <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07.08.2016 14:59, Bruce Simpson wrote: > On 07/08/16 12:43, Oliver Pinter wrote: >>> I was able to override this (somewhat unilateral, to my mind) >>> deprecation of the DH key exchange by using this option: >>> -oKexAlgorithms=+diffie-hellman-group1-sha1 >> >> You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > Can this at least be added (commented out, if you really want to enforce > this policy on users out-of-the-box) to the former file in FreeBSD > itself? And a note added to UPDATING? > > Otherwise, it's almost as though those behind the change are assuming > that users will just know exactly what to do in their operational > situation. That's a good way to cause problems for folk using FreeBSD in > IT operations. > > (systemd epitomises this kind of foot shooting.) > > I understand already - you want to deprecate a set of key exchanges, and > believe in setting an example - but the rest of the world might not be > ready for that just yet. > You should address your complains to original openssh author instead, it was his decision to get rid of weak algos. In my personal opinion, if your hardware is outdated, just drop it out. We can't turn our security team into compatibility team, by constantly restoring removed code, such code quickly becomes outdated and may add new security holes even being inactive.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?30e655d1-1df7-5e2a-fccb-269e3cea4684>