Re: Legacy option for key length?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 31/12/17 13:52, Peter Moody wrote:
By making it impossible for people to use SSH
nb, it's not impossible to use opessh. it might not be possible to use
a*modern*  openssh client to connect to an old, unpatched unmaintained
(by the vendor) sshd. i'd argue that's not the client's fault.

Of course it's the client's fault.  The client worked, was changed, and thus stopped working.  The client wasn't faulty before, and the difference was that some people thought it would be a good idea to break compatibility with other standard-compliant software.  That's got to be the definition of "client's fault" (where "client" means "the people who modified the client".)


you are forcing people to use
less secure software; telnet because they can't use ssh;
alternative interpretation. i'm less likely to buy from a vendor who
has a history of not keeping their software patched. if everyone else
is similarly inclined, vendors will quickly take note.

You're blaming the victim?  It's their fault for lacking prescience?

old, buggy versions
of ssh because that's what they had to install so that they could connect to
their industrial equipment.
I'd personally be more worried about the buggy sshd to which I'm connecting.

By all means worry about that; but there's no suggestion that the server, in this case, is buggy.

maintaining old code isn't free. if you need the old options, ssh1
support, whatever, you should bear the cost of that yourself (by
keeping an old copy around, or compiling it yourself when you need
it). that cost shouldn't be borne by the openssh developers and not
the ret of the community.

The developers fucked up.  They chose to expend effort breaking backwards compatibility when they didn't have to.  For the same effort they could have deprecated shorter keys without disallowing them.

But, by all means, force people to use old versions.  That's got to advance security, doesn't it?  Who knows, maybe you might even cause a fork.  Then there'd be openssh, which doesn't work with lots and lots of stuff, and there'd be universalssh which works with everything, which has all of the latest goodness of openssh (because, why wouldn't it?) without any of the nastiness.  Then Debian and Red Hat would switch, and openssh would become an also-ran.  Not a terrible result for the world but a bad look for the core openssh developers.


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux