FYI: SSH1 now disabled at compile-time by default

Gert Doering gert at greenie.muc.de
Sat Mar 28 01:14:56 AEDT 2015


Hi,

On Fri, Mar 27, 2015 at 03:02:05PM +0100, Hubert Kario wrote:
> > >  * - where "support" means that either you have other people responsible
> > >  for
> > > fixing it or that you can hire other people to fix it as the need arises
> >
> > Try opening a case with HP that their ILO is broken and stupid, and they
> > will happily sell you a new machine with a less broken ILO (or "differently"
> > broken), but not do stuff like "add sane ciphers to an ILO2".  Same for
> > Cisco - of course you can buy a new machine with SSHv2, but for the old
> > one, they will do hardware replacement if it breaks, but no "new features
> > in the software"...
> 
> then vote with your wallet
> 
> as long as you keep buying broken hardware, they will keep selling broken 
> hardware

There's the thing about "primary functions" and "secondary functions".

For a server, ILO/IPMI is a secondary function, and no sane company is
going to buy something that is less good at it's primary function just
to get something better for secondary functions.  Besides, *all* the
remote management solutions are total sh*t, like "most IPMIs happily
giving anyone who asks a full list of accounts + passwords" and stuff
like that - so ILO is actually among the better ones.

For a router, things like "forwarding plane and routing protocol support"
and "user interface that the people running the network know how to
operate *and debug*" are critical elements, while "SSHv2" or "SSH with
pub key authentication" are definitely nice-to-haves, but won't make 
anyone switch vendors.

> > Yes, it would be so cool if we could just pay someone to put Linux on
> > our routing gear and give us a SSHv2 server (without breaking the functions
> > that the device is important for, like "routing").  Right.
> 
> Linux can work as a router. And nowadays most of network appliances are just 
> regular x86 PCs with nice GUI on top.

Won't particularily help if that appliance comes as a bundle, and you do
not get the keys (metaphorically speaking) to replace individual parts 
of the system...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the openssh-unix-dev mailing list