Re: FYI: SSH1 now disabled at compile-time by default

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Friday 27 March 2015 14:15:47 Gert Doering wrote:
> Hi,
> 
> On Fri, Mar 27, 2015 at 12:53:05PM +0100, Hubert Kario wrote:
> > On Thursday 26 March 2015 11:19:28 Michael Felt wrote:
> > > Experience: I have some hardware, on an internal network - that only
> > > supports 40-bit ssl. I am forced to continue to use FF v17 because that
> > > was
> > > the last browser to provide SSL40-bit support. My security is weakened
> > > because I cannot update that browser, and I continue to lose plugins
> > > because they do not support FF17 anymore. All other browsers stopped
> > > support earlier as well.
> > 
> > Please put the device behind a stunnel and don't put yourself at risk.
> 
> I don't think Michael is accessing that device over the Internet - but even
> *in house* some devices force you to jump through such hoops.

the fact that he mentions usage of extensions, I'm not so sure he uses it only 
for internal out-of-band management sites...
 
> Like, old HP ILO that you can't get updates for, that insist on using SSL,
> but then fail to interoperate with recent browsers.  So what are you going
> to do?  "Throw away a perfectly working and secure machine, because its
> out of band interface is crap" or "keep around an old and insecure browser"?

such interfaces should be on a network of their own, as such you should go 
through a router to be able to connect to them. On same router you can put the 
stunnel or a redirect to other machine that does the tunneling to make sure 
the insecure connections from trusted network are not routed over regular 
network (be it company internal or Internet)

> Same thing with needing sshv1 to access old network gear where even sshv1
> was an achievement.  "Throw away gear that does its job perfectly well,
> but has no sshv2 for *management*" or "keep around an ssh v1 capable
> client"?

If you depend on hardware like this, you should have support* for it. Exactly 
because issues like this.

 * - where "support" means that either you have other people responsible for 
fixing it or that you can hire other people to fix it as the need arises
-- 
Regards,
Hubert Kario

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux