svn commit: r303716 - head/crypto/openssh
Slawa Olhovchenkov
slw at zxy.spb.ru
Sun Aug 7 17:37:38 UTC 2016
On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote:
> On 07.08.2016 20:31, Andrey Chernov wrote:
> > On 07.08.2016 19:14, Bruce Simpson wrote:
> >> On 07/08/16 15:40, Warner Losh wrote:
> >>> That’s a cop-out answer. We, as a project, need to articulate to our
> >>> users, whom we care about, why this rather obnoxious hit to usability
> >>> was taken. The answer must be more complete than “We just disabled
> >>> it because upstream disabled it for reasons we’re too lazy to explain
> >>> or document how to work around"
> >>
> >> Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which
> >> accepted the upstream change, workaround no-go)
> >>
> >> [2.3.2-RELEASE][root at gw.lab]/root: ssh -l admin
> >> -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX
> >> Fssh_ssh_dispatch_run_fatal: Connection to 192.168.1.XXX port 22: DH GEX
> >> group out of range
> >>
> >
> > DH prime size must be at least 2048, openssh now refuse lower values.
> > Commonly used DH size 1024 can be easily broken. See https://weakdh.org
> >
> diffie-hellman-group1-sha1 use DH 1024 and insecure sha1 both.
IMHO, this is wrong choise: totaly lost of control now vs teoretical
compromise of control in the future.
More information about the svn-src-head
mailing list