FYI: SSH1 now disabled at compile-time by default
Dan Kaminsky
dan at doxpara.com
Wed Mar 25 19:03:26 AEDT 2015
(Also, assume the sandbox doesn't exist when you decide what build people
should upgrade to.)
On Wed, Mar 25, 2015 at 12:54 AM, Dan Kaminsky <dan at doxpara.com> wrote:
> Protocols and ciphers are sunsetted all the time, this is a regular thing,
> but there are announcements before breaking changes are inserted. You
> assume people are slow to update anyway; some are, some aren't, what you're
> doing is wildly rewarding the slow updaters and punishing the fast ones.
> That has negative effects elsewhere.
>
> What would it hurt to announce the release in 3-6 months will drop SSHv1
> to a compile time option, and that people should be running (for example)
> at least OpenSSH 5.9x? You've got vendor class authority here, tell people
> what you want and give them some time to implement your directive. The
> alternative is they eventually trace back why some random critical system
> failed to this very thread and are like, yeah, never blindly push *that*
> guy's code...
>
>
> On Wed, Mar 25, 2015 at 12:48 AM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Tue, 24 Mar 2015, Dan Kaminsky wrote:
>>
>> BTW you didn't respond to this. IMO it is the essence of the problem:
>>
>> > > At this point, I don't think any further discussion is going to
>> > > make any difference. Do you think another two years would make an
>> > > appreciable change to the numbers you posted above, beyond old
>> > > hardware literally dying of old age?
>>
>> Our ability to influence people who run truly obsolete software is
>> extremely limited. The best we can do is deprecate as noisily as
>> possible after extremely generous grace period. This is what we are
>> doing
>>
>> -d
>>
>
>
More information about the openssh-unix-dev
mailing list