FYI: SSH1 now disabled at compile-time by default

Hubert Kario hkario at redhat.com
Sat Mar 28 00:36:50 AEDT 2015 

On Friday 27 March 2015 14:15:47 Gert Doering wrote:
> Hi,
> 
> On Fri, Mar 27, 2015 at 12:53:05PM +0100, Hubert Kario wrote:
> > On Thursday 26 March 2015 11:19:28 Michael Felt wrote:
> > > Experience: I have some hardware, on an internal network - that only
> > > supports 40-bit ssl. I am forced to continue to use FF v17 because that
> > > was
> > > the last browser to provide SSL40-bit support. My security is weakened
> > > because I cannot update that browser, and I continue to lose plugins
> > > because they do not support FF17 anymore. All other browsers stopped
> > > support earlier as well.
> > 
> > Please put the device behind a stunnel and don't put yourself at risk.
> 
> I don't think Michael is accessing that device over the Internet - but even
> *in house* some devices force you to jump through such hoops.

the fact that he mentions usage of extensions, I'm not so sure he uses it only 
for internal out-of-band management sites...
 
> Like, old HP ILO that you can't get updates for, that insist on using SSL,
> but then fail to interoperate with recent browsers.  So what are you going
> to do?  "Throw away a perfectly working and secure machine, because its
> out of band interface is crap" or "keep around an old and insecure browser"?

such interfaces should be on a network of their own, as such you should go 
through a router to be able to connect to them. On same router you can put the 
stunnel or a redirect to other machine that does the tunneling to make sure 
the insecure connections from trusted network are not routed over regular 
network (be it company internal or Internet)

> Same thing with needing sshv1 to access old network gear where even sshv1
> was an achievement.  "Throw away gear that does its job perfectly well,
> but has no sshv2 for *management*" or "keep around an ssh v1 capable
> client"?

If you depend on hardware like this, you should have support* for it. Exactly 
because issues like this.

 * - where "support" means that either you have other people responsible for 
fixing it or that you can hire other people to fix it as the need arises
-- 
Regards,
Hubert Kario
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150327/a0bbba81/attachment.bin>

More information about the openssh-unix-dev mailing list