svn commit: r294495 - in head: . crypto/openssh
Bryan Drewery
bdrewery at FreeBSD.org
Fri Jan 22 21:43:36 UTC 2016
On 1/22/2016 1:37 AM, Dag-Erling Smørgrav wrote:
> Conrad Meyer <cem at FreeBSD.org> writes:
>> Are we going to maintain DSA key support after upstream deprecates it
>> entirely? And why?
>
> I am not aware of any plans to remove DSA support. It has simply been
> disabled in the default run-time configuration - unlike, for instance,
> libwrap, which was removed entirely, and SSHv1, which needs to be
> enabled at compile time. I understand that decision (although I
> disagree with their justification, or at least the way it was worded),
> but we still have users who use DSA keys and who will be locked out of
> their systems if we disable DSA without sufficient advance warning. I
> will look into what steps can be taken to deprecate DSA without causing
> our users too much inconvenience.
>
> DES
>
I've used these in sshd_config and ssh_config to restore some removed
functionality:
Ciphers +blowfish-cbc,arcfour,aes128-cbc,3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
PubkeyAcceptedKeyTypes +ssh-dss,ssh-dss-cert-v01 at openssh.com
HostkeyAlgorithms +ssh-dss,ssh-dss-cert-v01 at openssh.com
Maintaining these in the default config would be simpler and allow users
to more easily remove them, but not give them a working upgrade. I'm not
sure if these support '-' to disable them. On the otherhand we can just
put these lines in the release notes and UPDATING so we are
secure-by-default.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20160122/6262221b/attachment.sig>
More information about the svn-src-all
mailing list