svn commit: r303716 - head/crypto/openssh
Bruce Simpson
bms at fastmail.net
Sun Aug 7 11:40:44 UTC 2016
On 07/08/16 11:58, Bruce Simpson wrote:
> Is there a way to revert this change, at least on an ongoing operational
> basis (e.g. configuration file) for those of us who use FreeBSD to
> connect directly to such devices?
I was able to override this (somewhat unilateral, to my mind)
deprecation of the DH key exchange by using this option:
-oKexAlgorithms=+diffie-hellman-group1-sha1
Obviously that is too much of a mouthful for day-to-day operational
memory. I shudder to think how a novice SSH user, who is otherwise
competent with network switches, is going to cope with this confusion.
OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other
reason) cipher suite is an ideologically sound move, but the road to
hell is paved with good intentions.
But surely the operational implications of this on people who use SSH on
a daily basis could have been better thought out, given many of these
devices cannot just magically be updated to stop using DH?
As I've said this may not affect just Netonix devices, but a wide range
of network devices which -- let's be frank -- be grateful they even have
a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H.
Strikes me as foot shooting. Just my 2c.
Please, at least add a central knob for overriding this. pfSense took
the change too. I couldn't log in to our local Netonix this morning
(without booting up a Linux laptop), which violated POLA horribly for me.
More information about the svn-src-head
mailing list