Largest vendor kit that only went EOL 2 years ago needs special config to allow DH algorithm that has been deprecated on the version of openssh in a MacOS that is older++ than the OS image on the kit
What has changed in the last 20 years is cryptanalysis leading to feasible attacks in minutes with a decent GPU -oh and the whole post-quantum encryption stuff and tonnes of cryptography hotness running through cfrg Wouldn’t be a problem if security added shareholder value but stuff like fortinet/baracuda/salt typhoon has ably demonstrated that the market careth not so why should the vendors? /rant > On 18 Dec 2025, at 21:05, Michael Thomas via NANOG <[email protected]> > wrote: > > >> On 12/18/25 7:24 AM, Andrew Latham via NANOG wrote: >> Matt >> >> Some open software would really keep a lot of this stuff out of the >> trash. I have Cyclades and Lantronix stuff on a shelf that works. I >> got tired of maintaining a box-in-the-middle to deal with ssh ciphers. > > Have cipher suites really changed that much in the last 20 years or so? After > the sha1 kerfuffle and needing to up RSA key sizes, has there been much > change? > > Or are you talking about some seriously old kit that predates that? > > Mike, out of the loop > > >> >>> On Thu, Dec 18, 2025 at 7:43 AM Matt Brennan <[email protected]> wrote: >>> Up until recently I was using the Raritan Dominion SX II models. Dual PSU, >>> dual NIC, and configurations ranging from 4 to 48 ports. However, Raritan >>> has just discontinued that as of June. It is unclear how long they will >>> continue to provide security patches. >>> >>> They are recommending customers switch to the ZPE Systems Nodegrid Serial >>> Consoles. It looks to be much the same, but I haven't had a chance to test >>> one yet. The only difference I've noticed is the ZPE device seems to have >>> an embedded 5G cellular module. >>> >>> >>> On Thu, 18 Dec 2025 at 09:34, Andrew Latham via NANOG >>> <[email protected]> wrote: >>>> Dan >>>> >>>> I have stacks and stacks of serial console servers. Today I mostly use >>>> an https://www.coolgear.com/product/32-port-rs-232-usb-to-serial-adapter >>>> with some pictures of the guts at >>>> https://lathama.net/Tech/Hardware/USB-32COM-RM if interested. It is my >>>> solution to a quick build of an https://freetserv.github.io/ >>>> >>>> (I have seen some things) >>>> >>>> On Wed, Dec 17, 2025 at 5:51 PM Dan Mahoney via NANOG >>>> <[email protected]> wrote: >>>>> Hey there folks. >>>>> >>>>> Dayjob has historically used USB TTY pods attached to real BSD machines >>>>> to talk to our cisco consoles, with the amazing benefit that with a >>>>> program like Vixie's rtty (or conserver) you can also capture the output >>>>> of those consoles in real-time, and perhaps use that data to identify a >>>>> connected device. >>>>> >>>>> As a bonus, because the rackmount devices have real DE-9's on them, it >>>>> means they work with any kind of cable you get (not just your standard >>>>> rj45 cisco rollover like you might get with a Cyclades thing -- and you >>>>> don't have to come up with the weird-ass mappings for rj45-serial like >>>>> you might need like our ME4012 NAS (the serial cable is a stereo plug), >>>>> our smart power strips (it's either a stereo plug, or an rj12), or >>>>> something like an older brocade switch (it's a DE9, but it's friggin ODD, >>>>> and I think it may also be the wrong gender). >>>>> >>>>> It also means, since you're running a real OS, you have patches as long >>>>> as the OS is supported (so you're not stuck with "gee it only speaks >>>>> rsa1024"), versus some EOL appliance. But it's also 2u, and since we're >>>>> recently buying a lot of Dell hardware, that's Super Overkill for a dell, >>>>> so I'm evaluating maybe just going "Appliance". >>>>> >>>>> If we stick with an existing unix box for this, I'd want something with >>>>> proper IPMI/OOB (so Rpi is out) but maybe the dumbest, shallowest-depth >>>>> atom64 supermicro you can find, in the event you need to do a reinstall >>>>> or catch a hung system. >>>>> >>>>> Are there things that other folks are using that are "easy" to work with >>>>> that you've found to have Long firmware lives, decent warranties and low >>>>> hassle? Does anything these days actually have DE9s on it? >>>>> >>>>> -Dan >>>>> >>>>> (You may have also seen my note earlier about the Cisco ASR920, which has >>>>> RS232 pins in a USB-A header. No, not via a PL2032 chip inside the host >>>>> that provides a virtual serial...direct txd/rxd/gnd/cts etc, on the USB >>>>> pins. I've seen things you people would't believe) >>>>> _______________________________________________ >>>>> NANOG mailing list >>>>> https://lists.nanog.org/archives/list/[email protected]/message/5VV3B6CVSW3KVIFFU4GOF5V5FAI625IG/ >>>> >>>> >>>> -- >>>> - Andrew "lathama" Latham - >>>> _______________________________________________ >>>> NANOG mailing list >>>> https://lists.nanog.org/archives/list/[email protected]/message/CPBVORP6B7P5ZJ6CN4TX4YZNFYWZMGSC/ >> >> > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/Z4SBTD3J6VR24NDBUYWPIIGFQSTDZGWW/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/HEODRQTFLOHSUGS26APDR4QQY33LYKXX/
