On Fri, Nov 3, 2017 at 8:37 AM, Janne Johansson <icepic...@gmail.com> wrote:
> 2017-11-03 5:06 GMT+01:00 Jacob Leifman <jacob.leif...@weymouthschools.org > >: > >> I was finally able to bring our OpenBSD based Network Management System up >> to the current OS release (it was a couple of years out of date) but this >> process broke access to a large number of older HP switches on our >> network. >> > > >> But this breaks the use of SSH client leaving little recourse other >> than perhaps telnet with NO encryption instead of somewhat weak >> encryption, >> as the "server" is outside of our control. (I already checked that we have >> the latest firmware, less than one year old.) >> >> Is this an oversight or is there a particular logic to intentionally >> breaking compatibility with a not-insignificant base of installed >> equipment? >> >> > If your vendor, even with a <1y firmware still only can handle old and > deprecated > keysizes, you should not ask for everyone elses sshs to become worse, but > rather > push the vendor to get up to speed, and since that will not work, you will > have to > resort to building older ssh and use that instead of the safer one that > comes with > the modern OS you upgraded to. > > Same goes for browsers and https, the bad parts of SSL/TLS gets weeded out > in browsers > so that the majority of users are safe, not kept to cater to the lowest > common denominator > of the laziest vendor still alive. > > You should be asking HP how come they can't keep the free sshd code > updated, > if security is your prime concern, not ask openbsd to lower everyone elses > security. > I am not asking to lower anyone else's security or for SSH to "become worse", I appreciate the default behavior being what it is. I am asking about a way to have an explicit compatibility mode -- even if we are successful at lobbying a behemoth like HP for an update, it will take time, probably a lot of time. Nor is a chronically underfunded public school district in the position to outright replace >$500K worth of switches that do their primary duties without fail. Not having some kind of compatibility mode, leaves me with choice of bad and worse. Typical K-12 management neither understands tech nor can afford to divert funds to "frivolous" upgrades. Their inevitable response is either "don't upgrade" or "choose another product", a product that will not have even the basic security level OpenBSD had say three years ago. > > -- > May the most significant bit of your life be positive. > -- CONFIDENTIALITY NOTICE: This e-mail message and any attachment to it is intended only for the individual or entity to which it is addressed and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please advise the sender immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Weymouth Public Schools. www.weymouthschools.org/
