FYI: SSH1 now disabled at compile-time by default

Christoph Anton Mitterer calestyo at scientia.net
Thu Mar 26 02:45:41 AEDT 2015


On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote: 
> Our ability to influence people who run truly obsolete software is
> extremely limited.
+1, mostly because those who still use something that outdated in their
products are either dead, or simply don't care about their customer's
security (which is typical in the embedded devices area).
Just by us (or anyone else) saying anything, that won't change.

> The best we can do is deprecate as noisily as
> possible after extremely generous grace period. This is what we are
> doing
I think just deprecating is what has been done years ago - everyone can
by now truly know that SSH1 should not have been used since a long time.

I'd even support if you really remove the v1 related code from the
codebase. Just deactivating it per default and affected people will
simply enable it again, without bothering to do their homework.
And even if 6.9 would really lack v1 support, people could still just
use anything <6.9  for v1 - they won't be less secure.


:)

Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150325/e2d5b610/attachment.bin>


More information about the openssh-unix-dev mailing list