svn commit: r303716 - head/crypto/openssh
Andrey Chernov
ache at freebsd.org
Sun Aug 7 17:43:05 UTC 2016
On 07.08.2016 20:37, Slawa Olhovchenkov wrote:
> On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote:
>
>> On 07.08.2016 20:31, Andrey Chernov wrote:
>>> On 07.08.2016 19:14, Bruce Simpson wrote:
>>>> On 07/08/16 15:40, Warner Losh wrote:
>>>>> That’s a cop-out answer. We, as a project, need to articulate to our
>>>>> users, whom we care about, why this rather obnoxious hit to usability
>>>>> was taken. The answer must be more complete than “We just disabled
>>>>> it because upstream disabled it for reasons we’re too lazy to explain
>>>>> or document how to work around"
>>>>
>>>> Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which
>>>> accepted the upstream change, workaround no-go)
>>>>
>>>> [2.3.2-RELEASE][root at gw.lab]/root: ssh -l admin
>>>> -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX
>>>> Fssh_ssh_dispatch_run_fatal: Connection to 192.168.1.XXX port 22: DH GEX
>>>> group out of range
>>>>
>>>
>>> DH prime size must be at least 2048, openssh now refuse lower values.
>>> Commonly used DH size 1024 can be easily broken. See https://weakdh.org
>>>
>> diffie-hellman-group1-sha1 use DH 1024 and insecure sha1 both.
>
> IMHO, this is wrong choise: totaly lost of control now vs teoretical
> compromise of control in the future.
Please note that it was not my choice and I can't answer what to do with
non-upgradeable hardware question, address it to the author. I just tell
you _why_ it happens.
More information about the svn-src-all
mailing list