Mathieu Arnold wrote:
>
> On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote:
> > 10.09.2021 1:01, Ed Maste wrote:
> >=20
> > > To check whether a server is using the weak ssh-rsa public key
> > > algorithm, for host authentication, try to connect to it after
> > > removing the ssh-rsa algorithm from ssh(1)'s allowed list:
> > >=20
> > > ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host
> > >=20
> > > If the host key verification fails and no other supported host key
> > > types are available, the server software on that host should be
> > > upgraded.
> >=20
> > I have some telco equipment (E1/SS7) based on custom Linux distro built b=
> y a vendor:
> >=20
> > $ ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host
> > Unable to negotiate with X.X.X.X port 22: no matching host key type found=
> =2E Their offer: ssh-rsa
> >=20
> > I've already asked the vendor for possible upgrade and was told that no u=
> pgrade will be available.
> >=20
> > Will I be able to use ssh_config and following command to re-enable the f=
> eature after planned import?
> >=20
> > HostKeyAlgorithms ssh-rsa
>
> Same here, I have many telco and even switches and routers that only
> support ssh-rsa, will it be possible to use a ssh_config knob to enable
> it back?
Same here. A mix of new & old hardware using ssh protocol on an internal
net behind a firewall. Functionality required. Not pointless damage!
So mark old protocols "less secure, better use .." & set defaults to newer,
but do not erase working protocols; let users decide what's best in each case.
Removal of old protocols to force users to force world's hardware
vendors to all upgrade, & "Devil take the hindmost" is draconian !
Aside: An exmple of old hardware safe using old ssh behind a firewall:
HP Network Scanjet with ADF - Converted to use FreeBSD-4.11,
http://berklix.com/scanjet/
Works perfectly, FreeBSD 11 12 or 13 too big!
Any old ssh sufficient for rdist6 & sftp etc.
Siren voices to cripple ssh, would cripple use of old hardware, disrupt &
waste other people's money, & dump more scrapped hardwarare on the planet.
Think Green: Retain old protocols, but mark them less secure.
Cheers,
--
Julian Stacey http://berklix.com/jhs/ http://stolenvotes.uk
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
