FYI: SSH1 now disabled at compile-time by default

Nico Kadel-Garcia nkadel at gmail.com
Thu Mar 26 17:30:07 AEDT 2015


On Wed, Mar 25, 2015 at 11:45 AM, Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
> On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote:
>> Our ability to influence people who run truly obsolete software is
>> extremely limited.
> +1, mostly because those who still use something that outdated in their
> products are either dead, or simply don't care about their customer's
> security (which is typical in the embedded devices area).
> Just by us (or anyone else) saying anything, that won't change.
>
>> The best we can do is deprecate as noisily as
>> possible after extremely generous grace period. This is what we are
>> doing
> I think just deprecating is what has been done years ago - everyone can
> by now truly know that SSH1 should not have been used since a long time.
>
> I'd even support if you really remove the v1 related code from the
> codebase. Just deactivating it per default and affected people will
> simply enable it again, without bothering to do their homework.
> And even if 6.9 would really lack v1 support, people could still just
> use anything <6.9  for v1 - they won't be less secure.

Yanking it out wholesale should be part of a 7.0 build, not an
incremental release. That's a major incompatibility with one heck of a
lot of existing code, much of which is on extended support.


More information about the openssh-unix-dev mailing list