FYI: SSH1 now disabled at compile-time by default
Dan Kaminsky
dan at doxpara.com
Wed Mar 25 19:17:30 AEDT 2015
We can be a little louder than release notes. It's probably a little
sketchy to just warn people against 5.x with all the backporting of
security fixes going on. It'd be nice to say the specific CVE's or
patchsets you'd like people to be sure they're running. As you say,
there's some nasty capability out there.
And after all these years, there's a lot of trust in you, and OpenSSH.
It's well earned.
It's a good time to be doing this shift. A lot of crypto is being
sunsetted. Just recommending a bit more awareness first.
On Wed, Mar 25, 2015 at 1:10 AM, Damien Miller <djm at mindrot.org> wrote:
> On Wed, 25 Mar 2015, Dan Kaminsky wrote:
>
> > What would it hurt to announce the release in 3-6 months will drop
> > SSHv1 to a compile time option
>
> We did exactly that in the last release. See what I mean about nobody
> reading the release notes?
>
> > The alternative is they eventually trace back why some random critical
> > system failed to this very thread and are like, yeah, never blindly
> > push *that* guy's code...
>
> I hope nobody ever blindly pushes my code.
>
> -d
>
>
More information about the openssh-unix-dev
mailing list