On 07/08/16 18:34, Andrey Chernov wrote:
Alcatel-Lucent OmniSwitch 6800 login broken (pfSense 2.3.2 which
accepted the upstream change, workaround no-go)
[2.3.2-RELEASE][r...@gw.lab]/root: ssh -l admin
-oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.XXX
Fssh_ssh_dispatch_run_fatal: Connection to 192.168.1.XXX port 22: DH GEX
group out of range
DH prime size must be at least 2048, openssh now refuse lower values.
Commonly used DH size 1024 can be easily broken. See https://weakdh.org
diffie-hellman-group1-sha1 use DH 1024 and insecure sha1 both.
I appreciate that, but what do I as a user do about it? My distribution
has changed behaviour I rely on in an operational setting. My initial
reaction is likely to be one of confusion, and general dismay.
I appreciate that this is done for security reasons, but it could take
an arbitrarily long time for a lot of deployed hardware in current use
to be updated.
(On the other hand, the introduction of, say ED25519 has been more
gradual, and has tended to see uptake in e.g. Linux-based ARM products.)
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"