FYI: SSH1 now disabled at compile-time by default

Sat Mar 28 00:15:47 AEDT 2015

Hi,

On Fri, Mar 27, 2015 at 12:53:05PM +0100, Hubert Kario wrote:
> On Thursday 26 March 2015 11:19:28 Michael Felt wrote:
> > Experience: I have some hardware, on an internal network - that only
> > supports 40-bit ssl. I am forced to continue to use FF v17 because that was
> > the last browser to provide SSL40-bit support. My security is weakened
> > because I cannot update that browser, and I continue to lose plugins
> > because they do not support FF17 anymore. All other browsers stopped
> > support earlier as well.
> 
> Please put the device behind a stunnel and don't put yourself at risk.

I don't think Michael is accessing that device over the Internet - but even
*in house* some devices force you to jump through such hoops.

Like, old HP ILO that you can't get updates for, that insist on using SSL,
but then fail to interoperate with recent browsers.  So what are you going
to do?  "Throw away a perfectly working and secure machine, because its
out of band interface is crap" or "keep around an old and insecure browser"?

Same thing with needing sshv1 to access old network gear where even sshv1
was an achievement.  "Throw away gear that does its job perfectly well,
but has no sshv2 for *management*" or "keep around an ssh v1 capable 
client"?

I, for one, need to explain why I buy new gear, and "because the out of
band / management access only does sshv1" is not a good reason for my 
management ("then just use telnet, no?")...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de