[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-security
Subject: Re: Important note for future FreeBSD base system OpenSSH update
From: "Julian H. Stacey" <jhs () berklix ! com>
Date: 2021-09-21 13:16:59
Message-ID: 202109211316.18LDGxtx007838 () fire ! js ! berklix ! net
[Download RAW message or body]
Mathieu Arnold wrote:
>
> On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote:
> > 10.09.2021 1:01, Ed Maste wrote:
> >
> > > To check whether a server is using the weak ssh-rsa public key
> > > algorithm, for host authentication, try to connect to it after
> > > removing the ssh-rsa algorithm from ssh(1)'s allowed list:
> > >
> > > ssh -oHostKeyAlgorithms=-ssh-rsa user@host
> > >
> > > If the host key verification fails and no other supported host key
> > > types are available, the server software on that host should be
> > > upgraded.
> >
> > I have some telco equipment (E1/SS7) based on custom Linux distro built b> y a \
> > vendor:
> > $ ssh -oHostKeyAlgorithms=-ssh-rsa user@host
> > Unable to negotiate with X.X.X.X port 22: no matching host key type found> . \
> > Their offer: ssh-rsa
> > I've already asked the vendor for possible upgrade and was told that no u> pgrade \
> > will be available.
> > Will I be able to use ssh_config and following command to re-enable the f> eature \
> > after planned import?
> > HostKeyAlgorithms ssh-rsa
>
> Same here, I have many telco and even switches and routers that only
> support ssh-rsa, will it be possible to use a ssh_config knob to enable
> it back?
Same here. A mix of new & old hardware using ssh protocol on an internal
net behind a firewall. Functionality required. Not pointless damage!
So mark old protocols "less secure, better use .." & set defaults to newer,
but do not erase working protocols; let users decide what's best in each case.
Removal of old protocols to force users to force world's hardware
vendors to all upgrade, & "Devil take the hindmost" is draconian !
Aside: An exmple of old hardware safe using old ssh behind a firewall:
HP Network Scanjet with ADF - Converted to use FreeBSD-4.11,
http://berklix.com/scanjet/
Works perfectly, FreeBSD 11 12 or 13 too big!
Any old ssh sufficient for rdist6 & sftp etc.
Siren voices to cripple ssh, would cripple use of old hardware, disrupt &
waste other people's money, & dump more scrapped hardwarare on the planet.
Think Green: Retain old protocols, but mark them less secure.
Cheers,
--
Julian Stacey http://berklix.com/jhs/ http://stolenvotes.uk
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic