fbsd11 & sshv1
Terje Elde
terje at elde.net
Tue Jan 31 10:49:53 UTC 2017
> On 30 Jan 2017, at 20:52, heasley <heas at shrubbery.net> wrote:
>
> That is sad; I doubt that I am the only one who would need this - there
> are millions of Cisco, HP, and etc network devices that folks must continue
> to access but will never receive new firmware with sshv2. It takes a long
> time for some equipment to transition to the recycle bin - even after
> vendor EOLs.
I get your point, but there are other ways to go about this.
The right way to go about it would IMHO be fairly simple:
If you have few boxes, bin them. If they’re not getting firmware updates, ssh v1 isn’t your only problem.
If you have too many critical or expensive boxes to make that practical, you can probably afford a Soekris, Raspberry Pi or similar, that you can keep at FreeBSD 10, and use as a jump host. Which you should probably have anyway, if your equipment is no longer getting updates.
Either way; problem solved, and relatively cleanly so.
“We have that crud over there, so we must keep this crud over here” really isn’t the way to move security forward, especially not when better solutions are easily available. SSH2 has been around for a decade now, it’s time to let go of SSH1, at least in primary systems.
Terje
More information about the freebsd-security
mailing list