On Thu, Dec 03, 2015 at 06:15:44PM +0100, Klaus Ethgen wrote: > Am Do den 3. Dez 2015 um 17:57 schrieb Colin Watson: > > This is true, although I rather suspect that it was in fact an > > ineffective configuration in the first place (i.e. blowfish was never in > > fact selected). You could easily confirm this by downgrading and using > > "ssh -vvv" with your old configuration; in fact, I encourage you to do > > so and post the output here. > > It was as I configured "Cipher" _and_ "Chiphers". While Ciphers has > blowfish-cbc in the first place, Chiper was expecting blowfish without > -cbc.
Aha. > > You can always override global ssh_config at a per-user level. Your > > report is about accessing other systems from an upgraded ssh client, > > which means that it is irrelevant whether the remote side is root with > > pubkey authentication only or an ordinary user account. > > Nope, not that. I have it overwritten in my local .ssh/config file but > it still complains about the error in global file. > > Well, I access the local server from a local client on a system that > only allows passwordless root access vial localhost ssh. Oh, right, got it. In that case I suggest using "ssh -F ~/.ssh/config", since that will cause it to not even try to parse /etc/ssh/ssh_config; you can then use that to make the system's /etc/ssh/ssh_config consistent with the upgraded client. Does that help? > > - Support for the legacy SSH version 1 protocol is disabled by default > > at compile time. > - Some (legacy or not) cipher algorithms are not legal anymore. > Check your configuration before you upgrade. > > I do not know if it makes sense to enlist that explicitly. I would as it > makes it easier for people to find it in there config. I probably won't amend debian/changelog, but I'll include something like that in NEWS.Debian. > > particularly since I do in fact strongly agree with > > disabling protocol 1! > > Oh, you find "Protocol 2" in all my configurations. However, on client > side I still need to have protocol 1 as many embedded systems like > routers only have ssh1 support. Yes, I'm not sure of the right long-term approach for that. I rather suspect that OpenSSH upstream is hoping to act as a forcing function to get those systems to get their act together with long-overdue upgrades, which seems laudable but I don't know how successful it will be. As far as Debian is concerned, it may make sense to add a separate client-only binary package for those that really really need it, but I'll see how things look over time; it may be that protocol 1 support is entirely removed from the OpenSSH source tree in the near future, which would make it difficult to support such a thing longer-term. -- Colin Watson [[email protected]]
