Important note for future FreeBSD base system OpenSSH update

Julian H. Stacey jhs at berklix.com
Tue Sep 21 13:17:13 UTC 2021 

Mathieu Arnold wrote:
> 
> On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote:
> > 10.09.2021 1:01, Ed Maste wrote:
> >=20
> > > To check whether a server is using the weak ssh-rsa public key
> > > algorithm, for host authentication, try to connect to it after
> > > removing the ssh-rsa algorithm from ssh(1)'s allowed list:
> > >=20
> > >     ssh -oHostKeyAlgorithms=3D-ssh-rsa user at host
> > >=20
> > > If the host key verification fails and no other supported host key
> > > types are available, the server software on that host should be
> > > upgraded.
> >=20
> > I have some telco equipment (E1/SS7) based on custom Linux distro built b=
> y a vendor:
> >=20
> > $ ssh -oHostKeyAlgorithms=3D-ssh-rsa user at host
> > Unable to negotiate with X.X.X.X port 22: no matching host key type found=
> =2E Their offer: ssh-rsa
> >=20
> > I've already asked the vendor for possible upgrade and was told that no u=
> pgrade will be available.
> >=20
> > Will I be able to use ssh_config and following command to re-enable the f=
> eature after planned import?
> >=20
> > HostKeyAlgorithms ssh-rsa
>
> Same here, I have many telco and even switches and routers that only
> support ssh-rsa, will it be possible to use a ssh_config knob to enable
> it back?

Same here.  A mix of new & old hardware using ssh protocol on an internal
net behind a firewall.  Functionality required.  Not pointless damage!

So mark old protocols "less secure, better use .." & set defaults to newer,
but do not erase working protocols; let users decide what's best in each case.

Removal of old protocols to force users to force world's hardware
vendors to all upgrade, & "Devil take the hindmost" is draconian !

Aside: An exmple of old hardware safe using old ssh behind a firewall:
	HP Network Scanjet with ADF - Converted to use FreeBSD-4.11,
	http://berklix.com/scanjet/ 
	Works perfectly, FreeBSD 11 12 or 13 too big!
	Any old ssh sufficient for rdist6 & sftp etc.

Siren voices to cripple ssh, would cripple use of old hardware, disrupt &
waste other people's money, & dump more scrapped hardwarare on the planet.
Think Green: Retain old protocols, but mark them less secure.

Cheers,
-- 
Julian Stacey  http://berklix.com/jhs/  http://stolenvotes.uk

More information about the freebsd-security mailing list