On Wed, Oct 13, 2021 at 05:38:56PM +0200, Michael Prokop wrote: > the current upstream version is 8.8p1 (see [1]), I'm sure that > the package maintainers are aware of this, but I couldn't find any > tracking bug report about this, so reporting it here. :) > > Given that there are plenty of new features, but also the (upcoming) > deprecation of scp(1), the disabled RSA signatures using the SHA-1 > hash algorithm,... it would be nice to get a more current OpenSSH > version in Debian.
I'm indeed aware of this; but this is a good opportunity to explain the status, so thanks. The first issue was in sorting out an updated version of the GSS-API key exchange patch, which these days we maintain in conjunction with Fedora, but I wanted to sort out a new branch maintenance strategy. The current version of this is https://github.com/openssh-gsskex/openssh-gsskex/pull/23. (I don't think it's necessary to wait for review here; I've pulled that PR into my packaging in progress.) The second issue was that when I put together updated packaging and started my usual testing, I discovered that the SSH implementation in Twisted Conch doesn't support rsa-sha2-* signatures (https://twistedmatrix.com/trac/ticket/9765). I've actually known about this for a while but it had unfortunately slipped my mind. Fixing this requires first implementing RFC 8308 extension negotiation, which is currently pending review as https://github.com/twisted/twisted/pull/1666. The reason I care about this, beyond general interoperability, is that in my day job my team maintains some SSH endpoints which use Twisted Conch, and it would be personally very inconvenient if we had to suddenly start fielding lots of support requests due to the default OpenSSH configuration in Debian refusing to talk to them; so I realize that isn't necessarily compelling for everyone, but I'd rather hold off until I get this sorted out. (I might stick 8.8p1 packages in experimental before then, though.) I'll keep pushing on the Twisted issues, and hopefully we can get this sorted out soon. -- Colin Watson (he/him) [[email protected]]
