svn commit: r303716 - head/crypto/openssh
Bruce Simpson
bms at fastmail.net
Sun Aug 7 11:59:31 UTC 2016
On 07/08/16 12:43, Oliver Pinter wrote:
>> I was able to override this (somewhat unilateral, to my mind)
>> deprecation of the DH key exchange by using this option:
>> -oKexAlgorithms=+diffie-hellman-group1-sha1
>
> You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too.
Can this at least be added (commented out, if you really want to enforce
this policy on users out-of-the-box) to the former file in FreeBSD
itself? And a note added to UPDATING?
Otherwise, it's almost as though those behind the change are assuming
that users will just know exactly what to do in their operational
situation. That's a good way to cause problems for folk using FreeBSD in
IT operations.
(systemd epitomises this kind of foot shooting.)
I understand already - you want to deprecate a set of key exchanges, and
believe in setting an example - but the rest of the world might not be
ready for that just yet.
More information about the svn-src-all
mailing list