On 03.11.17 14:37, Janne Johansson wrote:
2017-11-03 5:06 GMT+01:00 Jacob Leifman <jacob.leif...@weymouthschools.org>:
I was finally able to bring our OpenBSD based Network Management System up
to the current OS release (it was a couple of years out of date) but this
process broke access to a large number of older HP switches on our network.
But this breaks the use of SSH client leaving little recourse other
than perhaps telnet with NO encryption instead of somewhat weak encryption,
as the "server" is outside of our control. (I already checked that we have
the latest firmware, less than one year old.)
Is this an oversight or is there a particular logic to intentionally
breaking compatibility with a not-insignificant base of installed
equipment?
If your vendor, even with a <1y firmware still only can handle old and
deprecated
keysizes, you should not ask for everyone elses sshs to become worse, but
rather
push the vendor to get up to speed, and since that will not work, you will
have to
resort to building older ssh and use that instead of the safer one that
comes with
the modern OS you upgraded to.
Same goes for browsers and https, the bad parts of SSL/TLS gets weeded out
in browsers
so that the majority of users are safe, not kept to cater to the lowest
common denominator
of the laziest vendor still alive.
You should be asking HP how come they can't keep the free sshd code updated,
if security is your prime concern, not ask openbsd to lower everyone elses
security.
I think for most vendors, it is a rather administrative, than technical
question.
Yes, their technical people can update code, yes they can do it quick,
but their management is slow...
