Hi, On Fri, Mar 27, 2015 at 02:36:50PM +0100, Hubert Kario wrote:> > Same thing with needing sshv1 to access old network gear where even sshv1 > > was an achievement. "Throw away gear that does its job perfectly well, > > but has no sshv2 for *management*" or "keep around an ssh v1 capable > > client"? > > If you depend on hardware like this, you should have support* for it. Exactly > because issues like this. > > * - where "support" means that either you have other people responsible for > fixing it or that you can hire other people to fix it as the need arisesYou *definitely* need some real world exposure to the world of closed source :-) - really. Try opening a case with HP that their ILO is broken and stupid, and they will happily sell you a new machine with a less broken ILO (or "differently" broken), but not do stuff like "add sane ciphers to an ILO2". Same for Cisco - of course you can buy a new machine with SSHv2, but for the old one, they will do hardware replacement if it breaks, but no "new features in the software"... Yes, it would be so cool if we could just pay someone to put Linux on our routing gear and give us a SSHv2 server (without breaking the functions that the device is important for, like "routing"). Right. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
On Friday 27 March 2015 14:45:13 Gert Doering wrote:> Hi, > > On Fri, Mar 27, 2015 at 02:36:50PM +0100, Hubert Kario wrote: > > > Same thing with needing sshv1 to access old network gear where even > > > sshv1 > > > was an achievement. "Throw away gear that does its job perfectly well, > > > but has no sshv2 for *management*" or "keep around an ssh v1 capable > > > client"? > > > > If you depend on hardware like this, you should have support* for it. > > Exactly because issues like this. > > > > * - where "support" means that either you have other people responsible > > for > > > > fixing it or that you can hire other people to fix it as the need arises > > Try opening a case with HP that their ILO is broken and stupid, and they > will happily sell you a new machine with a less broken ILO (or "differently" > broken), but not do stuff like "add sane ciphers to an ILO2". Same for > Cisco - of course you can buy a new machine with SSHv2, but for the old > one, they will do hardware replacement if it breaks, but no "new features > in the software"...then vote with your wallet as long as you keep buying broken hardware, they will keep selling broken hardware> Yes, it would be so cool if we could just pay someone to put Linux on > our routing gear and give us a SSHv2 server (without breaking the functions > that the device is important for, like "routing"). Right.Linux can work as a router. And nowadays most of network appliances are just regular x86 PCs with nice GUI on top. -- Regards, Hubert Kario -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150327/19e50336/attachment.bin>
Hi, On Fri, Mar 27, 2015 at 03:02:05PM +0100, Hubert Kario wrote:> > > * - where "support" means that either you have other people responsible > > > for > > > fixing it or that you can hire other people to fix it as the need arises > > > > Try opening a case with HP that their ILO is broken and stupid, and they > > will happily sell you a new machine with a less broken ILO (or "differently" > > broken), but not do stuff like "add sane ciphers to an ILO2". Same for > > Cisco - of course you can buy a new machine with SSHv2, but for the old > > one, they will do hardware replacement if it breaks, but no "new features > > in the software"... > > then vote with your wallet > > as long as you keep buying broken hardware, they will keep selling broken > hardwareThere's the thing about "primary functions" and "secondary functions". For a server, ILO/IPMI is a secondary function, and no sane company is going to buy something that is less good at it's primary function just to get something better for secondary functions. Besides, *all* the remote management solutions are total sh*t, like "most IPMIs happily giving anyone who asks a full list of accounts + passwords" and stuff like that - so ILO is actually among the better ones. For a router, things like "forwarding plane and routing protocol support" and "user interface that the people running the network know how to operate *and debug*" are critical elements, while "SSHv2" or "SSH with pub key authentication" are definitely nice-to-haves, but won't make anyone switch vendors.> > Yes, it would be so cool if we could just pay someone to put Linux on > > our routing gear and give us a SSHv2 server (without breaking the functions > > that the device is important for, like "routing"). Right. > > Linux can work as a router. And nowadays most of network appliances are just > regular x86 PCs with nice GUI on top.Won't particularily help if that appliance comes as a bundle, and you do not get the keys (metaphorically speaking) to replace individual parts of the system... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de