On Thu, 10 Apr 2025, Ed Maste wrote:
On Wed, 19 Mar 2025 at 17:21, Jan Bramkamp <[email protected]> wrote:
As long as it's "only" a compile-time option away for FreeBSD to enable
this flawed cipher I would like to have it compiled in by default so it
doesn't require installing SSH from ports to connect to some stupid old
router/switch/UPS/whatever over SSH. As long as it won't negotiate that
cipher with the default configuration that's safe enough for my needs.
TL;DR: Please keep it enabled it at compile-time, but configured
disabled. FreeBSD shouldn't require recompiling the base system to
connect to older embedded devices.
It's a compile-time option in 9.9 and earlier. As of 10.0 the
configure infrastructure has been removed but the source hasn't yet
been deleted. I expect that will happen soon though.
We'll keep DSA available, at least in stable branches, as long as it's
reasonably convenient and safe to do so, but won't patch it back in
once the source is removed.
Is there any chance to keep an openssh (client) port (possibly with known
security risks)?
Do we have alternative ssh clients in ports which will keep supporting
DSA?
I kind-of understand why OpenBSD is doing what they do (and have long
announced so) but I also see the real world out there.
The amount of network gear which relies on it still is massive.
I evaluated GPON SFPs last year some which have no alternative to manage
them but enabling ssh-dss. They run ancient Linux 3.x on tiny spaces;
once certified run forever. Come back in 20 years. No more DSA, no
more management.
Lots of old switches out there belong in similar categories and the
=+ssh-rsa,ssh-dss
configs have grown. Even 11ax access points still fall into that
category (though they could be upgraded if someone was to do the
software).
I think providing a list of alternative clients somewhere for our
users who still need it would be very good. A wiki page or something
so it can be easily maintained? Not endorsing anything just listing it.
Bjoern
--
Bjoern A. Zeeb r15:7
