On Thu, Mar 26, 2015 at 11:55:18 -0700, Dan Kaminsky wrote:> You're right. My argument the is the next build of OpenSSH should be > OpenSSH 7, and the one after that 8, then 9, then 10. No minor releases? > Sure, go ahead. Deprecate the point, > > Do you manage any machines running SSHv1? >If by "running" you mean accepting SSH1, of course not. From a security perspective, no one should be using SSH1. For those who, for whatever reason, need to support systems that only support SSH1, there are already sufficient solutions that have been noted multiple times on this list. Those who are still using SSH1 have already demonstrated the fact that they are slow to embrace new technology, so I would not be surprised to find that the majority of them are also slow to upgrade to newer versions of OpenSSH. I would also not be surprised to find that many of them are still using telnet to manage their routers. -- Iain Morgan
On 26 Mar 2015, at 19:43, Iain Morgan <imorgan at nas.nasa.gov> wrote:> Those who are still using SSH1 have already demonstrated the fact that > they are slow to embrace new technology, so I would not be surprised to > find that the majority of them are also slow to upgrade to newer > versions of OpenSSH. I would also not be surprised to find that many of > them are still using telnet to manage their routers.Really? I use ssh2 everywhere (obviously). Occasionally I need to connect to an old Cisco box that cannot be upgraded to support new ssh protocols because it the flash is not large enough. It's locked down by IP address, and behind a firewall, but the only option other than ssh is telnet. I'd like my normal client to support sshv2 and sshv1. I don't mind having to explicitly request this on the command line, nor do I mind warnings. I don't think this use case is particularly unusual given ssh is a 'swiss army knife' tool. Does the fact I still like my odd-tool-that-removes-the-stones-from-horses-hooves make me slow to embrace the shiny sharp blade? Or (to put this another way) - fine, disable at compile-time by default if you want. But please also make it possible to have it compiled in but produce a warning and require explicit confirmation or something. This would encourage the distros to choose either one of those things, rather than simply change the compilation option back. -- Alex Bligh
On Thu, Mar 26, 2015 at 20:11:28 +0000, Alex Bligh wrote:> > On 26 Mar 2015, at 19:43, Iain Morgan <imorgan at nas.nasa.gov> wrote: > > Those who are still using SSH1 have already demonstrated the fact that > > they are slow to embrace new technology, so I would not be surprised to > > find that the majority of them are also slow to upgrade to newer > > versions of OpenSSH. I would also not be surprised to find that many of > > them are still using telnet to manage their routers. > > Really? > > I use ssh2 everywhere (obviously). Occasionally I need to connect to > an old Cisco box that cannot be upgraded to support new ssh protocols > because it the flash is not large enough. It's locked down by IP > address, and behind a firewall, but the only option other than ssh is > telnet. I'd like my normal client to support sshv2 and sshv1. I don't mind > having to explicitly request this on the command line, nor do > I mind warnings. I don't think this use case is particularly unusual > given ssh is a 'swiss army knife' tool. Does the fact I still like > my odd-tool-that-removes-the-stones-from-horses-hooves make me > slow to embrace the shiny sharp blade? > > Or (to put this another way) - fine, disable at compile-time > by default if you want. But please also make it possible to > have it compiled in but produce a warning and require explicit > confirmation or something. This would encourage the distros > to choose either one of those things, rather than simply > change the compilation option back. > > -- > Alex Bligh >So, there's already a compile-time option to enable SSH1 support. And, I rather suspect that some OS distributors will enable tht option by default and others might provide both flavors. This is merely a change to the default for OpenBSD and stock portable OpenSSH. -- Iain Morgan
So, this isn't your problem and you don't respect the people's whose problem it is. On Thu, Mar 26, 2015 at 12:43 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:> On Thu, Mar 26, 2015 at 11:55:18 -0700, Dan Kaminsky wrote: > > You're right. My argument the is the next build of OpenSSH should be > > OpenSSH 7, and the one after that 8, then 9, then 10. No minor releases? > > Sure, go ahead. Deprecate the point, > > > > Do you manage any machines running SSHv1? > > > > If by "running" you mean accepting SSH1, of course not. From a security > perspective, no one should be using SSH1. > > For those who, for whatever reason, need to support systems that only > support SSH1, there are already sufficient solutions that have been > noted multiple times on this list. > > Those who are still using SSH1 have already demonstrated the fact that > they are slow to embrace new technology, so I would not be surprised to > find that the majority of them are also slow to upgrade to newer > versions of OpenSSH. I would also not be surprised to find that many of > them are still using telnet to manage their routers. > > -- > Iain Morgan >
No, I just think 15 years or so is more than enough time to have addressed the issue. On Thu, Mar 26, 2015 at 14:05:08 -0700, Dan Kaminsky wrote:> So, this isn't your problem and you don't respect the people's whose > problem it is. > > On Thu, Mar 26, 2015 at 12:43 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote: > > > On Thu, Mar 26, 2015 at 11:55:18 -0700, Dan Kaminsky wrote: > > > You're right. My argument the is the next build of OpenSSH should be > > > OpenSSH 7, and the one after that 8, then 9, then 10. No minor releases? > > > Sure, go ahead. Deprecate the point, > > > > > > Do you manage any machines running SSHv1? > > > > > > > If by "running" you mean accepting SSH1, of course not. From a security > > perspective, no one should be using SSH1. > > > > For those who, for whatever reason, need to support systems that only > > support SSH1, there are already sufficient solutions that have been > > noted multiple times on this list. > > > > Those who are still using SSH1 have already demonstrated the fact that > > they are slow to embrace new technology, so I would not be surprised to > > find that the majority of them are also slow to upgrade to newer > > versions of OpenSSH. I would also not be surprised to find that many of > > them are still using telnet to manage their routers. > > > > -- > > Iain Morgan > >-- Iain Morgan