On 3/11/21 1:01 PM, Richard W.M. Jones wrote:
On Thu, Mar 11, 2021 at 03:50:57PM +0100, Daniel Pocock wrote:
On 11/03/2021 12:13, Florian Weimer wrote:
* Richard W. M. Jones:
I really hope we don't remove the ability to connect to old servers
(eg. running RHEL 5). At the moment you have to opt-in by setting the
crypto-policy to LEGACY and running update-crypto-policies(8), which
is bearable.
In the past (long, long ago), I had to enable Telnet on target devices
to work around incompatible cryptography policies. I hope we are not
going to return to that.
Giving people an option to use broken crypto on-demand may appear
reasonable at first glance. In practice, there are sites where people
turn it on to meet a deadline or end a service outage and then they
never go back to remove it.
Ideally there would be some ssh option to enable it on the single ssh
command (rather than globally). This would solve the problem you've
outlined there.
+1 to this. I still connect to old appliances that I don't manage so I
can't migrate them, but I am OK with my current alias as:
alias ssh-legacy='ssh -oKexAlgorithms=+diffie-hellman-group1-sha1
-oPubkeyAcceptedKeyTypes=+ssh-rsa'
In order to connect to those systems and still remember that I am using
a relatively insecure connection. I preferred an alias than modifying
the system crypto policy.
The context here is P2V/V2V where we are connecting to old physical
machines and virtualizing them or pulling VMs off them on to modern
systems.
Rich.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure