On 2016-Aug-07 15:25:54 +0300, Andrey Chernov <a...@freebsd.org> wrote: >You should address your complains to original openssh author instead, it >was his decision to get rid of weak algos.
No. It's up to the person who imported the code into FreeBSD to understand why the change was made and to be able to justify it to the FreeBSD community. Firstly, security is not absolute - it's always a cost-benefit tradeoff and different communities may make different tradeoffs. Secondly, the importer needs to be confident that the code is actually an improvement, not an attempt by a bad actor to undermine security. > In my personal opinion, if >your hardware is outdated, just drop it out. This is part of the cost-benefit analysis. Replacing hardware has a real cost. If it's inside a datacentre, where the management LAN is isolated from the rest of the world, there may be virtually no benefit to disabling "weak" ciphers. >We can't turn our security >team into compatibility team, by constantly restoring removed code, such >code quickly becomes outdated and may add new security holes even being >inactive. OTOH, FreeBSD has a documented deprecation process that says things will continue working for a major release after being formally deprecated. I don't believe there was any mention about DSA being deprecated before now so I would expect there to be a clearly documented process to restore the ability for a FreeBSD-11 ssh client to talk to a server using 1024-bit DSA. Note that the handbook still talks about using DSA - that needs updating as well. -- Peter Jeremy
signature.asc
Description: PGP signature