Re: svn commit: r303716 - head/crypto/openssh

> On Aug 8, 2016, at 10:45 PM, Warner Losh wrote: > > On Mon, Aug 8, 2016 at 4:41 AM, Dag-Erling Smørgrav wrote: >> Warner Losh writes: >>> Andrey Chernov writes: FreeBSD 11 is not released yet (betas are not counted),

Re: svn commit: r303716 - head/crypto/openssh

On Mon, Aug 8, 2016 at 1:25 AM, Brooks Davis wrote: > On Sun, Aug 07, 2016 at 03:48:44PM -0700, Xin Li wrote: >> >> >> On 8/7/16 14:20, Warner Losh wrote: >> > >> >> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote: >> >> >> >>> OTOH, FreeBSD has a

Re: svn commit: r303716 - head/crypto/openssh

On Mon, Aug 8, 2016 at 4:41 AM, Dag-Erling Smørgrav wrote: > Warner Losh writes: >> Andrey Chernov writes: >> > FreeBSD 11 is not released yet (betas are not counted), stable-10 too, >> > so it is right time to deprecate for them. >> Nice try,

Re: svn commit: r303716 - head/crypto/openssh

On 7 Aug 2016, at 7:40, Bruce Simpson wrote: > On 07/08/16 11:58, Bruce Simpson wrote: >> Is there a way to revert this change, at least on an ongoing >> operational basis (e.g. configuration file) for those of us who >> use FreeBSD to connect directly to such devices? > > I was able to override

Re: svn commit: r303716 - head/crypto/openssh

On Sun, Aug 07, 2016 at 03:48:44PM -0700, Xin Li wrote: > > > On 8/7/16 14:20, Warner Losh wrote: > > > >> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote: > >> > >>> OTOH, FreeBSD has a documented deprecation process that says things will > >>> continue working for a major

Re: svn commit: r303716 - head/crypto/openssh

Warner Losh writes: > Andrey Chernov writes: > > FreeBSD 11 is not released yet (betas are not counted), stable-10 too, > > so it is right time to deprecate for them. > Nice try, but feature freeze was months ago. Have you got buy in from the > security

Re: svn commit: r303716 - head/crypto/openssh

On Mon, Aug 08, 2016 at 11:40:55AM +0100, Bruce Simpson wrote: > On 08/08/16 11:36, Dag-Erling Smørgrav wrote: > > Bruce Simpson writes: > > > Alcatel-Lucent OmniSwitch 6800 login broken > ... > > This patch did not remove weak DH groups. That happened in 7.0p1 back > > in

Re: svn commit: r303716 - head/crypto/openssh

On 08/08/16 11:36, Dag-Erling Smørgrav wrote: Bruce Simpson writes: Alcatel-Lucent OmniSwitch 6800 login broken ... This patch did not remove weak DH groups. That happened in 7.0p1 back in January. So my reading of this is that PuTTy may be the best workaround for

Re: svn commit: r303716 - head/crypto/openssh

Bruce Simpson writes: > Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which > accepted the upstream change, workaround no-go) > > [2.3.2-RELEASE][r...@gw.lab]/root: ssh -l admin > -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX >

Re: svn commit: r303716 - head/crypto/openssh

Andrey Chernov writes: > You should address your complains to original openssh author instead, it > was his decision to get rid of weak algos. In my personal opinion, if > your hardware is outdated, just drop it out. We can't turn our security > team into compatibility team, by

Re: svn commit: r303716 - head/crypto/openssh

On 08.08.2016 1:48, Xin Li wrote: > Well, despite the fact that I have to admit that I get locked out from > my own storage box too, however (even without wearing any hat) I am for > the change and would blame myself for being lazy in adopting the change > when the upstream have announced it

Re: svn commit: r303716 - head/crypto/openssh

On 08.08.2016 0:28, Andrey Chernov wrote: > On 08.08.2016 0:20, Warner Losh wrote: >> >>> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote: >>> OTOH, FreeBSD has a documented deprecation process that says things will continue working for a major release after being

Re: svn commit: r303716 - head/crypto/openssh

On 8/7/16 14:20, Warner Losh wrote: > >> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote: >> >>> OTOH, FreeBSD has a documented deprecation process that says things will >>> continue working for a major release after being formally deprecated. >> >> FreeBSD 11 is not

Re: svn commit: r303716 - head/crypto/openssh

On 08.08.2016 0:20, Warner Losh wrote: > >> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote: >> >>> OTOH, FreeBSD has a documented deprecation process that says things will >>> continue working for a major release after being formally deprecated. >> >> FreeBSD 11 is not

Re: svn commit: r303716 - head/crypto/openssh

> On Aug 7, 2016, at 3:11 PM, Andrey Chernov wrote: > >> OTOH, FreeBSD has a documented deprecation process that says things will >> continue working for a major release after being formally deprecated. > > FreeBSD 11 is not released yet (betas are not counted), stable-10

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 22:56, Slawa Olhovchenkov wrote: > On Sun, Aug 07, 2016 at 10:42:56PM +0300, Andrey Chernov wrote: > >> On 07.08.2016 22:10, Slawa Olhovchenkov wrote: >>> On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote: >>> On 07.08.2016 21:52, Slawa Olhovchenkov wrote: >>

Re: svn commit: r303716 - head/crypto/openssh

On 2016-Aug-07 15:25:54 +0300, Andrey Chernov wrote: >You should address your complains to original openssh author instead, it >was his decision to get rid of weak algos. No. It's up to the person who imported the code into FreeBSD to understand why the change was made and to

Re: svn commit: r303716 - head/crypto/openssh

On Sun, Aug 07, 2016 at 10:42:56PM +0300, Andrey Chernov wrote: > On 07.08.2016 22:10, Slawa Olhovchenkov wrote: > > On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote: > > > >> On 07.08.2016 21:52, Slawa Olhovchenkov wrote: > Why you still not > send your opinion to the

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 22:10, Slawa Olhovchenkov wrote: > On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote: > >> On 07.08.2016 21:52, Slawa Olhovchenkov wrote: Why you still not send your opinion to the author? >>> >>> I am not sure about suitable response from autor. >>> May

Re: svn commit: r303716 - head/crypto/openssh

On Sun, Aug 07, 2016 at 10:02:52PM +0300, Andrey Chernov wrote: > On 07.08.2016 21:52, Slawa Olhovchenkov wrote: > >> Why you still not > >> send your opinion to the author? > >> > > > > I am not sure about suitable response from autor. > > May be project [FreeBSD] choise some compromise. > >

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 21:52, Slawa Olhovchenkov wrote: >> Why you still not >> send your opinion to the author? >> > > I am not sure about suitable response from autor. > May be project [FreeBSD] choise some compromise. IMHO blindly choosing some compromise without asking author's opinion first will be

Re: svn commit: r303716 - head/crypto/openssh

On Sun, Aug 07, 2016 at 09:34:51PM +0300, Andrey Chernov wrote: > On 07.08.2016 21:23, Slawa Olhovchenkov wrote: > > On Sun, Aug 07, 2016 at 09:06:37PM +0300, Andrey Chernov wrote: > > > >> On 07.08.2016 20:43, Andrey Chernov wrote: > >>> On 07.08.2016 20:37, Slawa Olhovchenkov wrote: > On

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 21:23, Slawa Olhovchenkov wrote: > On Sun, Aug 07, 2016 at 09:06:37PM +0300, Andrey Chernov wrote: > >> On 07.08.2016 20:43, Andrey Chernov wrote: >>> On 07.08.2016 20:37, Slawa Olhovchenkov wrote: On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote: > On

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 20:43, Andrey Chernov wrote: > On 07.08.2016 20:37, Slawa Olhovchenkov wrote: >> On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote: >> >>> On 07.08.2016 20:31, Andrey Chernov wrote: On 07.08.2016 19:14, Bruce Simpson wrote: > On 07/08/16 15:40, Warner Losh

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 20:37, Slawa Olhovchenkov wrote: > On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote: > >> On 07.08.2016 20:31, Andrey Chernov wrote: >>> On 07.08.2016 19:14, Bruce Simpson wrote: On 07/08/16 15:40, Warner Losh wrote: > That’s a cop-out answer. We, as a

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 20:31, Andrey Chernov wrote: > On 07.08.2016 19:14, Bruce Simpson wrote: >> On 07/08/16 15:40, Warner Losh wrote: >>> That’s a cop-out answer. We, as a project, need to articulate to our >>> users, whom we care about, why this rather obnoxious hit to usability >>> was taken. The

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 19:14, Bruce Simpson wrote: > On 07/08/16 15:40, Warner Losh wrote: >> That’s a cop-out answer. We, as a project, need to articulate to our >> users, whom we care about, why this rather obnoxious hit to usability >> was taken. The answer must be more complete than “We just disabled

Re: svn commit: r303716 - head/crypto/openssh

On Sun, Aug 07, 2016 at 08:34:55PM +0300, Andrey Chernov wrote: > On 07.08.2016 20:31, Andrey Chernov wrote: > > On 07.08.2016 19:14, Bruce Simpson wrote: > >> On 07/08/16 15:40, Warner Losh wrote: > >>> That’s a cop-out answer. We, as a project, need to articulate to our > >>> users, whom we

Re: svn commit: r303716 - head/crypto/openssh

On 07/08/16 18:34, Andrey Chernov wrote: Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which accepted the upstream change, workaround no-go) [2.3.2-RELEASE][r...@gw.lab]/root: ssh -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX Fssh_ssh_dispatch_run_fatal:

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 20:31, Andrey Chernov wrote: > On 07.08.2016 19:14, Bruce Simpson wrote: >> On 07/08/16 15:40, Warner Losh wrote: >>> That’s a cop-out answer. We, as a project, need to articulate to our >>> users, whom we care about, why this rather obnoxious hit to usability >>> was taken. The

Re: svn commit: r303716 - head/crypto/openssh

On 07/08/16 15:40, Warner Losh wrote: That’s a cop-out answer. We, as a project, need to articulate to our users, whom we care about, why this rather obnoxious hit to usability was taken. The answer must be more complete than “We just disabled it because upstream disabled it for reasons we’re

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 17:40, Warner Losh wrote: > >> On Aug 7, 2016, at 7:21 AM, Andrey Chernov wrote: >>> We can't turn our security team into compatibility team, by constantly restoring removed code, such code quickly becomes outdated and may add new security holes

Re: svn commit: r303716 - head/crypto/openssh

> On Aug 7, 2016, at 7:21 AM, Andrey Chernov wrote: >> >>> We can't turn our security >>> team into compatibility team, by constantly restoring removed code, such >>> code quickly becomes outdated and may add new security holes even being >>> inactive. >> >> What is security

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 15:52, Slawa Olhovchenkov wrote: >> You should address your complains to original openssh author instead, it >> was his decision to get rid of weak algos. In my personal opinion, if >> your hardware is outdated, just drop it out. > > Hardware outdated by outdated main function, not

Re: svn commit: r303716 - head/crypto/openssh

On Sun, Aug 07, 2016 at 03:25:54PM +0300, Andrey Chernov wrote: > On 07.08.2016 14:59, Bruce Simpson wrote: > > On 07/08/16 12:43, Oliver Pinter wrote: > >>> I was able to override this (somewhat unilateral, to my mind) > >>> deprecation of the DH key exchange by using this option: > >>>

Re: svn commit: r303716 - head/crypto/openssh

2016-08-07 14:25 GMT+02:00 Andrey Chernov : > You should address your complains to original openssh author instead, it > was his decision to get rid of weak algos. In my personal opinion, if > your hardware is outdated, just drop it out. We can't turn our security > team into

Re: svn commit: r303716 - head/crypto/openssh

On 07.08.2016 14:59, Bruce Simpson wrote: > On 07/08/16 12:43, Oliver Pinter wrote: >>> I was able to override this (somewhat unilateral, to my mind) >>> deprecation of the DH key exchange by using this option: >>> -oKexAlgorithms=+diffie-hellman-group1-sha1 >> >> You can add this option to

Re: svn commit: r303716 - head/crypto/openssh

On 07/08/16 12:43, Oliver Pinter wrote: I was able to override this (somewhat unilateral, to my mind) deprecation of the DH key exchange by using this option: -oKexAlgorithms=+diffie-hellman-group1-sha1 You can add this option to /etc/ssh/ssh.conf or ~/.ssh/config too. Can this at least be

Re: svn commit: r303716 - head/crypto/openssh

On 8/7/16, Bruce Simpson wrote: > On 07/08/16 11:58, Bruce Simpson wrote: >> Is there a way to revert this change, at least on an ongoing operational >> basis (e.g. configuration file) for those of us who use FreeBSD to >> connect directly to such devices? > > I was able to

Re: svn commit: r303716 - head/crypto/openssh

On 07/08/16 11:58, Bruce Simpson wrote: Is there a way to revert this change, at least on an ongoing operational basis (e.g. configuration file) for those of us who use FreeBSD to connect directly to such devices? I was able to override this (somewhat unilateral, to my mind) deprecation of

Re: svn commit: r303716 - head/crypto/openssh

DES, I believe this breaks logging into various embedded network devices, unfortunately. E.g. the Netonix WISP Switch, which uses an embedded Linux variant with dropbear 0.51. It is expecting to use DSA not RSA for the key exchange.g Is there a way to revert this change, at least on an

Re: svn commit: r303716 - head/crypto/openssh

On Wed, Aug 03, 2016 at 04:08:22PM +, Dag-Erling Smørgrav wrote: > Author: des > Date: Wed Aug 3 16:08:21 2016 > New Revision: 303716 > URL: https://svnweb.freebsd.org/changeset/base/303716 > > Log: > Remove DSA from default cipher list and disable SSH1. > > Upstream did this a long

Re: svn commit: r303716 - head/crypto/openssh

Benjamin Kaduk writes: > Which branch(es) are MFC targets? It will be merged to stable/11 before the release and documented in the release notes. > (Does POLA no longer apply to them?) Things change over time. Such is the nature of software (and of life). POLA does not mean

Re: svn commit: r303716 - head/crypto/openssh

On Wed, Aug 3, 2016 at 11:08 AM, Dag-Erling Smørgrav wrote: > Author: des > Date: Wed Aug 3 16:08:21 2016 > New Revision: 303716 > URL: https://svnweb.freebsd.org/changeset/base/303716 > > Log: > Remove DSA from default cipher list and disable SSH1. > > Upstream did this a