Mathieu Arnold wrote: > > On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote: > > 10.09.2021 1:01, Ed Maste wrote: > >=20 > > > To check whether a server is using the weak ssh-rsa public key > > > algorithm, for host authentication, try to connect to it after > > > removing the ssh-rsa algorithm from ssh(1)'s allowed list: > > >=20 > > > ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > > >=20 > > > If the host key verification fails and no other supported host key > > > types are available, the server software on that host should be > > > upgraded. > >=20 > > I have some telco equipment (E1/SS7) based on custom Linux distro built b= > y a vendor: > >=20 > > $ ssh -oHostKeyAlgorithms=3D-ssh-rsa user@host > > Unable to negotiate with X.X.X.X port 22: no matching host key type found= > =2E Their offer: ssh-rsa > >=20 > > I've already asked the vendor for possible upgrade and was told that no u= > pgrade will be available. > >=20 > > Will I be able to use ssh_config and following command to re-enable the f= > eature after planned import? > >=20 > > HostKeyAlgorithms ssh-rsa > > Same here, I have many telco and even switches and routers that only > support ssh-rsa, will it be possible to use a ssh_config knob to enable > it back?
Same here. A mix of new & old hardware using ssh protocol on an internal net behind a firewall. Functionality required. Not pointless damage! So mark old protocols "less secure, better use .." & set defaults to newer, but do not erase working protocols; let users decide what's best in each case. Removal of old protocols to force users to force world's hardware vendors to all upgrade, & "Devil take the hindmost" is draconian ! Aside: An exmple of old hardware safe using old ssh behind a firewall: HP Network Scanjet with ADF - Converted to use FreeBSD-4.11, http://berklix.com/scanjet/ Works perfectly, FreeBSD 11 12 or 13 too big! Any old ssh sufficient for rdist6 & sftp etc. Siren voices to cripple ssh, would cripple use of old hardware, disrupt & waste other people's money, & dump more scrapped hardwarare on the planet. Think Green: Retain old protocols, but mark them less secure. Cheers, -- Julian Stacey http://berklix.com/jhs/ http://stolenvotes.uk _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"