Legacy option for key length?

David Newall openssh at davidnewall.com
Sun Dec 31 16:47:31 AEDT 2017


On 31/12/17 13:52, Peter Moody wrote:
>> By making it impossible for people to use SSH
> nb, it's not impossible to use opessh. it might not be possible to use
> a*modern*  openssh client to connect to an old, unpatched unmaintained
> (by the vendor) sshd. i'd argue that's not the client's fault.

Of course it's the client's fault.  The client worked, was changed, and 
thus stopped working.  The client wasn't faulty before, and the 
difference was that some people thought it would be a good idea to break 
compatibility with other standard-compliant software.  That's got to be 
the definition of "client's fault" (where "client" means "the people who 
modified the client".)


>> you are forcing people to use
>> less secure software; telnet because they can't use ssh;
> alternative interpretation. i'm less likely to buy from a vendor who
> has a history of not keeping their software patched. if everyone else
> is similarly inclined, vendors will quickly take note.

You're blaming the victim?  It's their fault for lacking prescience?

>> old, buggy versions
>> of ssh because that's what they had to install so that they could connect to
>> their industrial equipment.
> I'd personally be more worried about the buggy sshd to which I'm connecting.

By all means worry about that; but there's no suggestion that the 
server, in this case, is buggy.

> maintaining old code isn't free. if you need the old options, ssh1
> support, whatever, you should bear the cost of that yourself (by
> keeping an old copy around, or compiling it yourself when you need
> it). that cost shouldn't be borne by the openssh developers and not
> the ret of the community.

The developers fucked up.  They chose to expend effort breaking 
backwards compatibility when they didn't have to.  For the same effort 
they could have deprecated shorter keys without disallowing them.

But, by all means, force people to use old versions.  That's got to 
advance security, doesn't it?  Who knows, maybe you might even cause a 
fork.  Then there'd be openssh, which doesn't work with lots and lots of 
stuff, and there'd be universalssh which works with everything, which 
has all of the latest goodness of openssh (because, why wouldn't it?) 
without any of the nastiness.  Then Debian and Red Hat would switch, and 
openssh would become an also-ran.  Not a terrible result for the world 
but a bad look for the core openssh developers.




More information about the openssh-unix-dev mailing list