On Sun, Aug 07, 2016 at 03:25:54PM +0300, Andrey Chernov wrote: > On 07.08.2016 14:59, Bruce Simpson wrote: > > On 07/08/16 12:43, Oliver Pinter wrote: > >>> I was able to override this (somewhat unilateral, to my mind) > >>> deprecation of the DH key exchange by using this option: > >>> -oKexAlgorithms=+diffie-hellman-group1-sha1 > >> > >> You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. > > > > Can this at least be added (commented out, if you really want to enforce > > this policy on users out-of-the-box) to the former file in FreeBSD > > itself? And a note added to UPDATING? > > > > Otherwise, it's almost as though those behind the change are assuming > > that users will just know exactly what to do in their operational > > situation. That's a good way to cause problems for folk using FreeBSD in > > IT operations. > > > > (systemd epitomises this kind of foot shooting.) > > > > I understand already - you want to deprecate a set of key exchanges, and > > believe in setting an example - but the rest of the world might not be > > ready for that just yet. > > > > You should address your complains to original openssh author instead, it > was his decision to get rid of weak algos. In my personal opinion, if > your hardware is outdated, just drop it out.
Hardware outdated by outdated main function, not by outdated ssh upstream. > We can't turn our security > team into compatibility team, by constantly restoring removed code, such > code quickly becomes outdated and may add new security holes even being > inactive. What is security hole by present this ciphers in _client_? _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
