Re: OpenSSH support for FIDO RSA keys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 30.08.21 05:01, Damien Miller wrote:
> On Mon, 30 Aug 2021, David Newall wrote:
>> Removing DSS removes management access to the equipment and the only 
>> reason is a pedantic complaint that DSS is trivially broken.
>>
>> Please don't break equipment over well-meaning pedantry.
> 
> I bet this (once) expensive equipment still supports telnet, so
> nothing is being broken.

As long as the definition of "getting broken" covers "things suddenly
stop working as they were", it *still* breaks setups where plain
TELNET+FTP has been disabled or firewalled in favor of "more secure" SSH.

Which doesn't mean that DSS, and thus the firmware's implementation of
SSH, should not be considered the thing to have broken *first*, but.

On 30.08.21 06:23, Peter Moody wrote:
> even if it doesn't, the idea that someone would assume support of this
> equipment is the responsibility of the openssh maintainers, rather
> than the _vendor_, blows my mind.

FWIW, I'm *nowhere* near labeling any specific problem of *mine* a
"responsibility* of the OpenSSH developers.

Pray tell, though, at what level does "a bunch of somebodies" turn into
"a compatibility issue" or "a valid use case" or somesuch?

$ cat .ssh/config .ssh/config.d/* | grep -c '^Host'
709
$ cat .ssh/config .ssh/config.d/* | grep dss
        HostKeyAlgorithms       ssh-dss
        HostKeyAlgorithms       ssh-dss
        HostKeyAlgorithms       +ssh-dss
        HostKeyAlgorithms       +ssh-dss
        HostKeyAlgorithms       +ssh-dss
        HostKeyAlgorithms       +ssh-dss

(Yes, I already default-disabled DSS on my workplace machine. And no,
not all of those six targets are someplace I can easily set up a VPN to,
or a VM with a current OpenSSH server in.)

> save a statically linked copy of openssh that supports your old
> crypto, problem solved.

*sigh* Right *now*, I *could* do that ... our auditors have had "version
control of *Linux*-based workplace computers, too" on their wishlist for
quite a while, though.

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux