svn commit: r303716 - head/crypto/openssh

[Bruce Simpson]

On 07/08/16 11:58, Bruce Simpson wrote:
> Is there a way to revert this change, at least on an ongoing operational
> basis (e.g. configuration file) for those of us who use FreeBSD to
> connect directly to such devices?

I was able to override this (somewhat unilateral, to my mind) 
deprecation of the DH key exchange by using this option: 
-oKexAlgorithms=+diffie-hellman-group1-sha1

Obviously that is too much of a mouthful for day-to-day operational 
memory. I shudder to think how a novice SSH user, who is otherwise 
competent with network switches, is going to cope with this confusion.

OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other 
reason) cipher suite is an ideologically sound move, but the road to 
hell is paved with good intentions.

But surely the operational implications of this on people who use SSH on 
a daily basis could have been better thought out, given many of these 
devices cannot just magically be updated to stop using DH?

As I've said this may not affect just Netonix devices, but a wide range 
of network devices which -- let's be frank -- be grateful they even have 
a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H.

Strikes me as foot shooting. Just my 2c.

Please, at least add a central knob for overriding this. pfSense took 
the change too. I couldn't log in to our local Netonix this morning 
(without booting up a Linux laptop), which violated POLA horribly for me.