svn commit: r303716 - head/crypto/openssh
Oliver Pinter
oliver.pinter at hardenedbsd.org
Sun Aug 7 11:43:56 UTC 2016
On 8/7/16, Bruce Simpson <bms at fastmail.net> wrote:
> On 07/08/16 11:58, Bruce Simpson wrote:
>> Is there a way to revert this change, at least on an ongoing operational
>> basis (e.g. configuration file) for those of us who use FreeBSD to
>> connect directly to such devices?
>
> I was able to override this (somewhat unilateral, to my mind)
> deprecation of the DH key exchange by using this option:
> -oKexAlgorithms=+diffie-hellman-group1-sha1
You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too.
>
> Obviously that is too much of a mouthful for day-to-day operational
> memory. I shudder to think how a novice SSH user, who is otherwise
> competent with network switches, is going to cope with this confusion.
>
> OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other
> reason) cipher suite is an ideologically sound move, but the road to
> hell is paved with good intentions.
>
> But surely the operational implications of this on people who use SSH on
> a daily basis could have been better thought out, given many of these
> devices cannot just magically be updated to stop using DH?
>
> As I've said this may not affect just Netonix devices, but a wide range
> of network devices which -- let's be frank -- be grateful they even have
> a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H.
>
> Strikes me as foot shooting. Just my 2c.
>
> Please, at least add a central knob for overriding this. pfSense took
> the change too. I couldn't log in to our local Netonix this morning
> (without booting up a Linux laptop), which violated POLA horribly for me.
> _______________________________________________
> svn-src-head at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
>
More information about the svn-src-head
mailing list