svn commit: r303716 - head/crypto/openssh

Garance A Drosehn drosih at rpi.edu
Mon Aug 8 18:36:37 UTC 2016


On 7 Aug 2016, at 7:40, Bruce Simpson wrote:

> On 07/08/16 11:58, Bruce Simpson wrote:
>> Is there a way to revert this change, at least on an ongoing
>> operational basis (e.g. configuration file) for those of us who
>> use FreeBSD to connect directly to such devices?
>
> I was able to override this (somewhat unilateral, to my mind)
> deprecation of the DH key exchange by using this option:
>    -oKexAlgorithms=+diffie-hellman-group1-sha1

If I understand the issues, the biggest concern with this change is
for people who need ssh clients to connect to ancient hardware.

Perhaps we could reduce the pain of this change by creating a special
port for ssh.  One which installs a version of openssh that does not
include this change, and which also does not include sshd.  In addition,
it could install ssh/scp under some alternate names, such that people
would have to explicitly request 'ssh-2015' (instead of 'ssh') to
execute this older version of ssh.  (I suspect that we should not
call the binaries 'ssh-old' and 'scp-old', as those names will not
work well for a long-term option).

*That* port would remain frozen in time, and would (probably) not
import any updates from future versions of openssh.  The only goal of
this port is to give people a way to access hardware that they cannot
access with the newer version of openssh.  It is not some new fork
of ssh which will track future improvements to openssh.

This ssh-2015 version might need some updates of it's own, but only
wrt default configuration settings, and maybe so it will recognize
some special configuration options that the main ssh will ignore.

[aside: we have some machines here at RPI which are old enough that
I already have an alternate-version of ssh to connect to them, so
this tactic is nothing new to me!  Kinda sad, really...]

-- 
Garance Alistair Drosehn                =     drosih at rpi.edu
Senior Systems Programmer               or   gad at FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA


More information about the svn-src-all mailing list