Re: Heads-up: DSA key support being removed from OpenSSH
- Reply: Dr Jim Allen : "Re: Heads-up: DSA key support being removed from OpenSSH"
- Reply: Brooks Davis : "Re: Heads-up: DSA key support being removed from OpenSSH"
- Reply: void : "Re: Heads-up: DSA key support being removed from OpenSSH"
- In reply to: Ed Maste : "Re: Heads-up: DSA key support being removed from OpenSSH"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Apr 2025 22:24:49 UTC
On Thu, 10 Apr 2025, Ed Maste wrote: > On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp <crest@rlwinm.de> wrote: >> >> As long as it's "only" a compile-time option away for FreeBSD to enable >> this flawed cipher I would like to have it compiled in by default so it >> doesn't require installing SSH from ports to connect to some stupid old >> router/switch/UPS/whatever over SSH. As long as it won't negotiate that >> cipher with the default configuration that's safe enough for my needs. >> >> TL;DR: Please keep it enabled it at compile-time, but configured >> disabled. FreeBSD shouldn't require recompiling the base system to >> connect to older embedded devices. > > It's a compile-time option in 9.9 and earlier. As of 10.0 the > configure infrastructure has been removed but the source hasn't yet > been deleted. I expect that will happen soon though. > > We'll keep DSA available, at least in stable branches, as long as it's > reasonably convenient and safe to do so, but won't patch it back in > once the source is removed. Is there any chance to keep an openssh (client) port (possibly with known security risks)? Do we have alternative ssh clients in ports which will keep supporting DSA? I kind-of understand why OpenBSD is doing what they do (and have long announced so) but I also see the real world out there. The amount of network gear which relies on it still is massive. I evaluated GPON SFPs last year some which have no alternative to manage them but enabling ssh-dss. They run ancient Linux 3.x on tiny spaces; once certified run forever. Come back in 20 years. No more DSA, no more management. Lots of old switches out there belong in similar categories and the =+ssh-rsa,ssh-dss configs have grown. Even 11ax access points still fall into that category (though they could be upgraded if someone was to do the software). I think providing a list of alternative clients somewhere for our users who still need it would be very good. A wiki page or something so it can be easily maintained? Not endorsing anything just listing it. Bjoern -- Bjoern A. Zeeb r15:7