Stuart Henderson <stu@xxxxxxxxxxxxxxx> writes: > On 2021/08/30 11:43, David Newall wrote: >> On 28/8/21 2:57 am, Peter Stuge wrote: >> > Damien Miller wrote: >> > > I'm expecting a big fight when I eventually push to remove ssh-dss, >> > FWIW I think that's long overdue, and understand your worry. >> >> I, too, understand your worry, but I also understand why there will be a lot >> of pushback against removing it. >> >> A lot of equipment, perfectly good equipment, expensive equipment, but old >> equipment requires it. Most of it is behind a security appliance so there's >> no real risk is negligible if indeed it's not actually zero. >> >> Removing DSS removes management access to the equipment and the only reason >> is a pedantic complaint that DSS is trivially broken. >> >> Please don't break equipment over well-meaning pedantry. > > Oh not this one again. OpenSSH already removed support for things used > by some devices. It is annoying but the world didn't end - if you need > to use some separate legacyssh binary (sometimes spelt 'p l i n k') to > connect it acts as a good reminder that you're not really using a secure > protocol for that connection. I agree -- I believe it is important that users of OpenSSH end up with secure channels, since that is the expectation that OpenSSH gives. Support for insecure algorithms and features can be moved to a side-project called (say) 'InscuriSSH' and a tool 'ish', if there is enough interest to maintain it, similar in spirit to the OpenSSH Portability version. Count me as +1 on removing ssh-dss now. /Simon
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
