svn commit: r303716 - head/crypto/openssh
Bruce Simpson
bms at fastmail.net
Sun Aug 7 17:37:36 UTC 2016
On 07/08/16 18:34, Andrey Chernov wrote:
>>> Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which
>>> accepted the upstream change, workaround no-go)
>>>
>>> [2.3.2-RELEASE][root at gw.lab]/root: ssh -l admin
>>> -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX
>>> Fssh_ssh_dispatch_run_fatal: Connection to 192.168.1.XXX port 22: DH GEX
>>> group out of range
>> DH prime size must be at least 2048, openssh now refuse lower values.
>> Commonly used DH size 1024 can be easily broken. See https://weakdh.org
>>
> diffie-hellman-group1-sha1 use DH 1024 and insecure sha1 both.
>
I appreciate that, but what do I as a user do about it? My distribution
has changed behaviour I rely on in an operational setting. My initial
reaction is likely to be one of confusion, and general dismay.
I appreciate that this is done for security reasons, but it could take
an arbitrarily long time for a lot of deployed hardware in current use
to be updated.
(On the other hand, the introduction of, say ED25519 has been more
gradual, and has tended to see uptake in e.g. Linux-based ARM products.)
More information about the svn-src-all
mailing list