The hardware issue with VME not connected to any external (Internet
accessible) network is a fact of life.
The SL6 issue is a different matter. Not only are various applications
vulnerable to compromises from the Internet, but so is the kernel as
well as kernel systems support software. As vulnerabilities are
"discovered", patches/re-writes also should be made available to lessen
the risk of a compromise. The mechanical bicycle analogy is not truly
applicable. A macroscopic mechanical device can be kept in service
provided spares are available, can be substituted (different
derailleur), or fabricated (appropriate materials, machine tools,
castings, forgings, etc). Software (or hardware/firmware that can be
compromised through hard "backdoors") repair is not trivial and
typically not worth the effort if updates are available that maintain
backward compatibility. If backward compatibility is needed but not
available, and there are vulnerabilities, then a risk analysis must be
evaluated.
On 1/9/23 13:15, Konstantin Olchanski wrote:
On Sun, Jan 08, 2023 at 08:48:33AM -0500, Nico Kadel-Garcia wrote:
There is a third party SRPM at:
https://urldefense.proofpoint.com/v2/url?u=http-3A__rnd.rajven.net_centos_6_os_SRPMS_openssh-2D6.4p1-2D1cnt6.1.src.rpm&d=DwIBaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=APF_X_sbP87-U3byu32i-cPT0N0xHPBEhLmLSTRjCbrt6c02NpZBAfu3Z0LoBDLm&s=RoFP8HoZRy6liEx_Q1o6LAJzDhmsdUjdbqtBPSwXUrI&e=
For the record, urldefence successfully obscures the fact that it points
to rnd.rajven.net which happens to be registered in Moscow, Russia, per
xttps://www.whois.com/whois/rajven.net
A year ago, I would have said, yay, thanks!
But after certain recent events, I say thank you, but no, thanks.
P.S.
It looks like my remaining option is to build openssh from OpenBSD "portable"
sources.
P.P.S. to answer some comments:
- obsolete - only because you say so. like a mechanical bike, it does today
what it did yesterday, users are happy.
- "so old" - like a grand-father's axe, most our SL6 machines hardware was
upgraded 2-3 times by now, they run from SSDs on DDR3/DDR4 RAM machines.
- exception is VME processors - true Pentium-3 and Pentium-4 machines, fit for a museum. purported
replacement ("core-2 duo" CPU) was a lemon (high mortality, all dead now). next purported
replacement was okey, but went out of production too soon. "just replace it" people,
should look at current prices for VME processors and VME hardware, then ask about delivery times,
then come back with suggestions (and $$$).
- insecure - exactly where? ssh insecure? nfs insecure? https insecure (A+
score from SSLlabs)?
- "hide behind firewall!" - done, 1-2 layers of firewalls. external ssh and
https access is required by function.
- VMs, containers - shuffle chairs in the titanic, does not address any of the
issues above.
