svn commit: r303716 - head/crypto/openssh
Peter Jeremy
peter at rulingia.com
Sun Aug 7 20:41:06 UTC 2016
On 2016-Aug-07 15:25:54 +0300, Andrey Chernov <ache at freebsd.org> wrote:
>You should address your complains to original openssh author instead, it
>was his decision to get rid of weak algos.
No. It's up to the person who imported the code into FreeBSD to understand
why the change was made and to be able to justify it to the FreeBSD
community. Firstly, security is not absolute - it's always a cost-benefit
tradeoff and different communities may make different tradeoffs. Secondly,
the importer needs to be confident that the code is actually an improvement,
not an attempt by a bad actor to undermine security.
> In my personal opinion, if
>your hardware is outdated, just drop it out.
This is part of the cost-benefit analysis. Replacing hardware has a real
cost. If it's inside a datacentre, where the management LAN is isolated
from the rest of the world, there may be virtually no benefit to disabling
"weak" ciphers.
>We can't turn our security
>team into compatibility team, by constantly restoring removed code, such
>code quickly becomes outdated and may add new security holes even being
>inactive.
OTOH, FreeBSD has a documented deprecation process that says things will
continue working for a major release after being formally deprecated. I
don't believe there was any mention about DSA being deprecated before now so
I would expect there to be a clearly documented process to restore the
ability for a FreeBSD-11 ssh client to talk to a server using 1024-bit DSA.
Note that the handbook still talks about using DSA - that needs updating as
well.
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20160808/ff522d5a/attachment.sig>
More information about the svn-src-all
mailing list