On 30.08.21 05:01, Damien Miller wrote: > On Mon, 30 Aug 2021, David Newall wrote: >> Removing DSS removes management access to the equipment and the only >> reason is a pedantic complaint that DSS is trivially broken. >> >> Please don't break equipment over well-meaning pedantry. > > I bet this (once) expensive equipment still supports telnet, so > nothing is being broken. As long as the definition of "getting broken" covers "things suddenly stop working as they were", it *still* breaks setups where plain TELNET+FTP has been disabled or firewalled in favor of "more secure" SSH. Which doesn't mean that DSS, and thus the firmware's implementation of SSH, should not be considered the thing to have broken *first*, but. On 30.08.21 06:23, Peter Moody wrote: > even if it doesn't, the idea that someone would assume support of this > equipment is the responsibility of the openssh maintainers, rather > than the _vendor_, blows my mind. FWIW, I'm *nowhere* near labeling any specific problem of *mine* a "responsibility* of the OpenSSH developers. Pray tell, though, at what level does "a bunch of somebodies" turn into "a compatibility issue" or "a valid use case" or somesuch? $ cat .ssh/config .ssh/config.d/* | grep -c '^Host' 709 $ cat .ssh/config .ssh/config.d/* | grep dss HostKeyAlgorithms ssh-dss HostKeyAlgorithms ssh-dss HostKeyAlgorithms +ssh-dss HostKeyAlgorithms +ssh-dss HostKeyAlgorithms +ssh-dss HostKeyAlgorithms +ssh-dss (Yes, I already default-disabled DSS on my workplace machine. And no, not all of those six targets are someplace I can easily set up a VPN to, or a VM with a current OpenSSH server in.) > save a statically linked copy of openssh that supports your old > crypto, problem solved. *sigh* Right *now*, I *could* do that ... our auditors have had "version control of *Linux*-based workplace computers, too" on their wishlist for quite a while, though. Regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev