FYI: SSH1 now disabled at compile-time by default
Dan Kaminsky
dan at doxpara.com
Wed Mar 25 18:54:04 AEDT 2015
Protocols and ciphers are sunsetted all the time, this is a regular thing,
but there are announcements before breaking changes are inserted. You
assume people are slow to update anyway; some are, some aren't, what you're
doing is wildly rewarding the slow updaters and punishing the fast ones.
That has negative effects elsewhere.
What would it hurt to announce the release in 3-6 months will drop SSHv1 to
a compile time option, and that people should be running (for example) at
least OpenSSH 5.9x? You've got vendor class authority here, tell people
what you want and give them some time to implement your directive. The
alternative is they eventually trace back why some random critical system
failed to this very thread and are like, yeah, never blindly push *that*
guy's code...
On Wed, Mar 25, 2015 at 12:48 AM, Damien Miller <djm at mindrot.org> wrote:
> On Tue, 24 Mar 2015, Dan Kaminsky wrote:
>
> BTW you didn't respond to this. IMO it is the essence of the problem:
>
> > > At this point, I don't think any further discussion is going to
> > > make any difference. Do you think another two years would make an
> > > appreciable change to the numbers you posted above, beyond old
> > > hardware literally dying of old age?
>
> Our ability to influence people who run truly obsolete software is
> extremely limited. The best we can do is deprecate as noisily as
> possible after extremely generous grace period. This is what we are
> doing
>
> -d
>
More information about the openssh-unix-dev
mailing list