On 8/7/16, Bruce Simpson <b...@fastmail.net> wrote: > On 07/08/16 11:58, Bruce Simpson wrote: >> Is there a way to revert this change, at least on an ongoing operational >> basis (e.g. configuration file) for those of us who use FreeBSD to >> connect directly to such devices? > > I was able to override this (somewhat unilateral, to my mind) > deprecation of the DH key exchange by using this option: > -oKexAlgorithms=+diffie-hellman-group1-sha1
You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > Obviously that is too much of a mouthful for day-to-day operational > memory. I shudder to think how a novice SSH user, who is otherwise > competent with network switches, is going to cope with this confusion. > > OK, so deprecating the (unwanted/vulnerable/obsolete for whatever other > reason) cipher suite is an ideologically sound move, but the road to > hell is paved with good intentions. > > But surely the operational implications of this on people who use SSH on > a daily basis could have been better thought out, given many of these > devices cannot just magically be updated to stop using DH? > > As I've said this may not affect just Netonix devices, but a wide range > of network devices which -- let's be frank -- be grateful they even have > a basic SSH implementation. I'm staring at $VENDOR_A and $VENDOR_H. > > Strikes me as foot shooting. Just my 2c. > > Please, at least add a central knob for overriding this. pfSense took > the change too. I couldn't log in to our local Netonix this morning > (without booting up a Linux laptop), which violated POLA horribly for me. > _______________________________________________ > svn-src-h...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" > _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
