svn commit: r303716 - head/crypto/openssh
Slawa Olhovchenkov
slw at zxy.spb.ru
Sun Aug 7 12:52:37 UTC 2016
On Sun, Aug 07, 2016 at 03:25:54PM +0300, Andrey Chernov wrote:
> On 07.08.2016 14:59, Bruce Simpson wrote:
> > On 07/08/16 12:43, Oliver Pinter wrote:
> >>> I was able to override this (somewhat unilateral, to my mind)
> >>> deprecation of the DH key exchange by using this option:
> >>> -oKexAlgorithms=+diffie-hellman-group1-sha1
> >>
> >> You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too.
> >
> > Can this at least be added (commented out, if you really want to enforce
> > this policy on users out-of-the-box) to the former file in FreeBSD
> > itself? And a note added to UPDATING?
> >
> > Otherwise, it's almost as though those behind the change are assuming
> > that users will just know exactly what to do in their operational
> > situation. That's a good way to cause problems for folk using FreeBSD in
> > IT operations.
> >
> > (systemd epitomises this kind of foot shooting.)
> >
> > I understand already - you want to deprecate a set of key exchanges, and
> > believe in setting an example - but the rest of the world might not be
> > ready for that just yet.
> >
>
> You should address your complains to original openssh author instead, it
> was his decision to get rid of weak algos. In my personal opinion, if
> your hardware is outdated, just drop it out.
Hardware outdated by outdated main function, not by outdated ssh
upstream.
> We can't turn our security
> team into compatibility team, by constantly restoring removed code, such
> code quickly becomes outdated and may add new security holes even being
> inactive.
What is security hole by present this ciphers in _client_?
More information about the svn-src-all
mailing list