From nobody Thu Apr 10 23:21:42 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYbRq3YsWz5s2PB for ; Thu, 10 Apr 2025 23:21:43 +0000 (UTC) (envelope-from pm_bounces@pm-bounces.phinetworksystems.co.uk) Received: from sc-ord-mta117.mtasv.net (sc-ord-mta117.mtasv.net [50.31.156.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYbRq1l1Qz3ZVJ for ; Thu, 10 Apr 2025 23:21:43 +0000 (UTC) (envelope-from pm_bounces@pm-bounces.phinetworksystems.co.uk) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=pm20250324; d=pm.mtasv.net; h=From:Date:Subject:Message-Id:To:Cc:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Date:From:Message-ID:Reply-To:Sender: Subject:To:CC; t=1744327303; x=1744413703; bh=iRXrdetYaK5VzfJJFteUj0pJtQ9xAb+EOiLdGd1ChUk=; b=ddi7GJAa/qN5FOcCJRHtTzojMUMgSJdnNQSHrJGeKiWZ4w7SZOlJP4rhUgPpRksToeyxydPYPLTW aYG9rqfOwu2JNIhmtKCpawNIRR4CMq2EJsEFWbeurExVHFU90toGE1vp1SQnZgELK+xqfdWhk4tC j67IN1nlBfgpteplYwn0LnX0yBFrt6NQjF4AmHDH2QAkp24uyuYqDVzr0w5sHJpoE7GDcNZlmolX 1GQ7urkD9RebEpyEjBXF1YrTRvSw0tkwU64xzZOD2gh+tuGd1svm1UtyBeZCMPwszUX9DdJuQFea hcEJ2p2cN3AdyWEPXVA7Z7eWopi8ntzjOHGRLg== Received: by sc-ord-mta117.mtasv.net id hv198c3864oj for ; Thu, 10 Apr 2025 19:21:42 -0400 (envelope-from ) X-PM-IP: 50.31.156.117 X-IADB-IP: 50.31.156.117 X-IADB-IP-REVERSE: 117.156.31.50 DKIM-Signature: v=1; a=rsa-sha256; d=phinetworksystems.co.uk; s=20240616025402pm; c=relaxed/relaxed; i=mail.lists@phinetworksystems.co.uk; t=1744327302; x=1744500102; h=date:date:from:from:message-id:reply-to:sender:subject:subject:to:to:cc: references:in-reply-to:feedback-id:mime-version:content-type: content-transfer-encoding; bh=iRXrdetYaK5VzfJJFteUj0pJtQ9xAb+EOiLdGd1ChUk=; b=kAcYoiotUqpDGhk81H5mY2UXVbUh4mZH66cGwniTQIltUijw2CHGrdl6989WWKJxAk/qae6f2VV OniqPBVxtmd2LCNHhd3ujCyX7E/GXhS7er6H4pAN0V2WIfL5H19i9Gdlcjuv9Xf5FhJMdMFPdrCHE bSifozTxk2cSMVwqdjU= From: Dr Jim Allen Date: Thu, 10 Apr 2025 23:21:42 +0000 Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-Id: <1a1ceefc-ed0b-4602-b250-2a407dd7dbd1@mtasv.net> To: "Bjoern A. Zeeb" Cc: Ed Maste , freebsd-security@freebsd.org X-Assp-Version: 2.8.1(24261) on percival.phinetworksystems.net X-Assp-ID: percival.phinetworksystems.net id-27300-08872 X-Assp-Session: 2A38F3F96D38 (mail 1) X-Assp-Client-TLS: yes References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Feedback-ID: s13555785-_:s13555785:a334230:postmark X-Complaints-To: abuse@postmarkapp.com X-PM-Message-Id: 1a1ceefc-ed0b-4602-b250-2a407dd7dbd1 X-PM-RCPT: |bTF8MzM0MjMwfDEzNTU1Nzg1fGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmc=| X-PM-Message-Options: v1;1.d6MDnTjlhU7RgwYoCwvSsQ.kEAxEz3paxCFhbf1IRQAqWVhsSvZTaQ5hKDxYJtCK_pzO82TWQbPZtiPVCXJbRoFLLhpTnA_0SAHJvlgnXn9-z1wCV4YNEJ0soy8lvWnUtojx9aJK-25D-recib-9MBxCGVCavLz7WU9N2dpwSmRb4aya-P24ZlIT7MKzqCtWaPlwq_d9l_z2jovq6ogldgo List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 X-PM-MTA-Pool: transactional-1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:23352, ipnet:50.31.128.0/18, country:US] X-Rspamd-Queue-Id: 4ZYbRq1l1Qz3ZVJ X-Spamd-Bar: ---- Two things. = =20 = =20 a) Why remove the build config option? = =20 I know the code is being removed at some point, but until it is, why not = =20 leave it as a option (defaulted off)? = =20 = =20 b) The reasons for not using it are clear. I have gear like that too. = =20 Everyone does. But any of us that do need to speak to that old gear will = =20 just have to install an old version of OpenSSH in order to do so. = =20 It's no different than having to find (keep) an old piece of hardware = =20 that has a real RS232 port on it (because the gear has a weird protocol = =20 that a USB->Serial converter won't speak). = =20 = =20 I have gear that is new and gear that is 20 years old. The hassle of = =20 supporting old gear is one of the drives to renew it. It's life.=3D20 = =20 I don't agree with deprecating something just cause someone doesn't like = =20 it but this is different and if we don't want or need to replace that = =20 old gear then it's really up to us to find a fix. We can't expect the = =20 devs to keep it in for the next 20 years. We want OpenSSH secure. If we = =20 want/need to use an unsecure key method then we should be fine using and = =20 older less secure version. = =20 = =20 Jim :-) On Thu, Apr 10, 2025 at 10:24:49PM +0000, Bjoern A. Zeeb [Re: Heads-up: DSA= key support being removed from OpenSSH] wrote: > On Thu, 10 Apr 2025, Ed Maste wrote: >=20 > > On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp wrote: > > >=20 > > > As long as it's "only" a compile-time option away for FreeBSD to enab= le > > > this flawed cipher I would like to have it compiled in by default so = it > > > doesn't require installing SSH from ports to connect to some stupid o= ld > > > router/switch/UPS/whatever over SSH. As long as it won't negotiate th= at > > > cipher with the default configuration that's safe enough for my needs= . > > >=20 > > It's a compile-time option in 9.9 and earlier. As of 10.0 the > > configure infrastructure has been removed but the source hasn't yet > > been deleted. I expect that will happen soon though. > >=20 > > We'll keep DSA available, at least in stable branches, as long as it's > > reasonably convenient and safe to do so, but won't patch it back in > > once the source is removed. >=20 > Do we have alternative ssh clients in ports which will keep supporting > DSA? >=20 > Lots of old switches out there belong in similar categories and the > =3D+ssh-rsa,ssh-dss >=20 > I think providing a list of alternative clients somewhere for our > users who still need it would be very good. A wiki page or something > so it can be easily maintained? Not endorsing anything just listing it. >=20 --=20 =20 Dr James Allen Phi Network Systems =20 MBL : +44 (0) 7919 332 662 DLN : +44 (0) 28 9343 8236 TEL : +44 (0) 28 93 155 600 FAX : +44 (0) 28 93 155 601 SALES : +44 (0) 845 55 77 600 EMail : Jim.Allen@PhiNetworkSystems.co.uk GPG-key : https://files.phinetworksystems.net/Downloads/GPG-Keys/Jim.Allen-Phi.gpg.as= c https://files.phinetworksystems.net/Downloads/GPG-Keys/Jim.Allen-Phi_allkey= s.gpg.asc S/MIME certificate : https://files.phinetworksystems.net/Downloads/jim.allen-at-phinetworksystem= s.co.uk.pem SKI F3:C3:77:E8:B7:B0:40:48:BD:57:4B:95:99:71:A4:4C:1A:90:9C:67