OpenSSH support for FIDO RSA keys

Ethan Rahn ethan.rahn at gmail.com
Tue Aug 31 02:53:55 AEST 2021 

> as a thought experiment, imagine asking the chrome devs to keep
supporting ssl v3 because some commercial appliance you run hasn't
been updated in a decade.

>From what I recall that was an issue. I can tell you that there will always
be people who have antiquated legacy equipment they cannot update that will
support antiquated legacy protocols.

One insight that I have however is that the people who have those pieces of
legacy equipment are more likely to be large companies than private
individuals. I will also note that there are great benefits to removing
legacy code - they were often written during more un-enlightened times and
may have their own cruft that makes the overall system harder to maintain.
Less technical debt is also likely to lead to better code when you can
focus on the amount remaining. After all, is there nothing more sublime
then deleting code to improve your deliverable?

I'd humbly suggest that if people really want to have an official "legacy
OpenSSH" they should pay Damien to maintain it. Going back to my above
point, most end users who need ssh-dss are big companies with locked in
hardware that cannot be updated. They should be able to spare some dollars
to support connecting to their equipment. I'm sure that whatever is worked
out will be less than hiring consultants to come up with a solution to
maintain a legacy binary.

Cheers,

Ethan

On Mon, Aug 30, 2021 at 8:51 AM Peter Moody <mindrot at hda3.com> wrote:

> > That will take effort and I bet leaving them in the code will take none.
>
> neither you nor I are maintainers of openssh, but with unit tests and
> configure options, this strikes me as a weird assumption to make.
>
> look, this comes up every time openssh removes support for some
> horribly broken crypto. "you're making my devices inaccessible, how
> could you!?" and the answer is always the same,
>
>  1. you're free to maintain a copy of the ssh client that supports
> your old devices.
>  2. you should be complaining to your hardware vendor, to whom you
> pay/paid actual money.
>
> as a thought experiment, imagine asking the chrome devs to keep
> supporting ssl v3 because some commercial appliance you run hasn't
> been updated in a decade.
>
> /rant
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list