Legacy option for key length?
Haven Tristan Hash
havenster at gmail.com
Tue Jan 2 18:46:34 AEDT 2018
If you mean put zero warnings and not 'wait until there are zero users'
then I see in that a tacit agreement that indeed there comes a time when
the userbase is small enough that it warrants removal/disablement
(especially if there is a security concern, even more especially in
security related software). Then it's just a question of when, and as is
their custom and prerrogative, OpenSSH chose earlier than you would have
liked in this case. Making such judgement calls is partially what made them
the popular SSH client/server that they are.
2018-01-02 2:16 GMT-05:00 Haven Tristan Hash <havenster at gmail.com>:
>
>
>> I think zero.
>
>
> That seems like a pretty untenable position.
>
> Note that a less extreme stance than this (0!) still led OpenSSL to
> support VMS, Netware and 16-bit Windows into 2014 and beyond. Creating a
> larger, more complex codebase which contributed to security problems.
> Security being the entire point, this was deemed by others (OpenBSD from
> whence comes this very OpenSSH) to be counter-productive. OpenBSD then
> forked and removed said support. So their philosophy on removing insecure
> baggage is pretty clear and consistent.
>
> It seems like you grant the point that the 768 bit keys are insecure and
> you don't mind, in which case you likely already have an easily accesible
> command line option to access these devices called telnet.
>
>
More information about the openssh-unix-dev
mailing list