-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Colin,
Am Do den 3. Dez 2015 um 18:54 schrieb Colin Watson: > > > You can always override global ssh_config at a per-user level. Your > > > report is about accessing other systems from an upgraded ssh client, > > > which means that it is irrelevant whether the remote side is root with > > > pubkey authentication only or an ordinary user account. > > > > Nope, not that. I have it overwritten in my local .ssh/config file but > > it still complains about the error in global file. > > > > Well, I access the local server from a local client on a system that > > only allows passwordless root access vial localhost ssh. > > Oh, right, got it. In that case I suggest using "ssh -F ~/.ssh/config", > since that will cause it to not even try to parse /etc/ssh/ssh_config; > you can then use that to make the system's /etc/ssh/ssh_config > consistent with the upgraded client. Does that help? That might. I for myself found another way as I use puppet on all of my boxes. But it took me hard in the first place. > > > particularly since I do in fact strongly agree with > > > disabling protocol 1! > > > > Oh, you find "Protocol 2" in all my configurations. However, on client > > side I still need to have protocol 1 as many embedded systems like > > routers only have ssh1 support. > > Yes, I'm not sure of the right long-term approach for that. I rather > suspect that OpenSSH upstream is hoping to act as a forcing function to > get those systems to get their act together with long-overdue upgrades, > which seems laudable but I don't know how successful it will be. As far > as Debian is concerned, it may make sense to add a separate client-only > binary package for those that really really need it, but I'll see how > things look over time; it may be that protocol 1 support is entirely > removed from the OpenSSH source tree in the near future, I hope that too. I don't like to have protocoll 1 enabled. However, I know how ignorant those companies are and I know that I have no real influent to it. > which would make it difficult to support such a thing longer-term. That for sure. Gruß Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJWYXhpAAoJEKZ8CrGAGfast6EL/29suMdXNKLmWT6GU2IcprSB xIFF1lANJexOp7nD3g0LvKZ6UhdaBHmGahDYtXC0dCco4Q5xagk93nRey0WvFItV BQ44pyWDJyRSEU4kFdJYKk0u4TS8bpOAfupR6Va9wZtUYxiaXehhP20f+zK6Rz06 9O86m5Afej8lFGYSyAkEJ4w1hQF4Pkyf/zMVxtnJDCU15CJDEXe+OMnllNJtjqFW AxOAxCmlIlVPDKf+S3588SvPFs6BrU6cKQAydBarhcwSAMlVHzhB0qKzWdaxtMJe 3lRwhdTkm6QVhIm5psaPl5zzc9Cvgemrq3M6ncQSSX7zncmlBvdrfJiae6apVw+W Q2fnqK19zg8xdpaDsCGi3I529eD034llVWGnlqXpDgnGDAIaOpCRpwfF2NwbjGpp NSGV27jn1e2cdgMBSUij5ak7g2Md0miZnxEv8+zeztOH1MXwQqFZ1rX13oulfVcg Kaq8ss0XJifhYk1jWCUTyuThtEdp66svgyRkBU6DUQ== =IY7K -----END PGP SIGNATURE-----