Hi, On Mon, Jan 01, 2018 at 07:52:26AM -0800, Peter Moody wrote:> I would prefer that: > > * commercial vendors patched the software they sold > * people who purchased from these vendors to take responsibility for > their actions and apply pressure on the commercial vendors rather than > the free software developers who provide the client software, for > free.You *are* aware what people are talking about? Like, management cards for UPSes and such, where the important part is "will that UPS provide reliable power for a reasonable price", a secondary question is "can I monitor that thing in a reasonable way?", and a very very very minor influencing factor is "will the management card do SNMPv3, or SSH with o 2048 bit RSA key size"? Your extreme point of view is just unrealistic for such devices and vendors.> and I'm not sure what your bugaboo is about a fractured user base; at > any given time there are probably hundreds of different versions of > openssh being distributed due to different os's, distros, etc. > > by the way, do you not see that every one of your arguments about the > openssh client can be applied, almost verbatim, to the vendor supplied > sshd? with the obvious exception that one is supplied by a commercial > vendor.Like, "making updates, and all of a sudden, working setups stop working"? I *have* seen this, and usually because the vendor imported a newer version of OpenSSH, which broke existing functionality :-) (like, Fortigate, which all of a sudden did not authenticate users with DSA keys anymore, and no mentioning of it in the release notes...). gert -- now what should I write here... Gert Doering - Munich, Germany gert at greenie.muc.de
Gert Doering wrote:> On Mon, Jan 01, 2018 at 07:52:26AM -0800, Peter Moody wrote: >> I would prefer that: >> >> * commercial vendors patched the software they sold >> * people who purchased from these vendors to take responsibility for >> their actions and apply pressure on the commercial vendors rather than >> the free software developers who provide the client software, for >> free. > > You *are* aware what people are talking about? Like, management cards > for UPSes and such, where the important part is "will that UPS provide > reliable power for a reasonable price", a secondary question is "can I > monitor that thing in a reasonable way?", and a very very very minor > influencing factor is "will the management card do SNMPv3, or SSH with o > 2048 bit RSA key size"?And another important question is: How high is the risk that this unmaintained device is added to yet-another-bot-net in the Internet-of-shitty-devices or is used to enter parts of your network. If you run such devices you have to do your homework. Part of this is to setup secured admin gateways where you can run whatever customized SSH client you need to accomodate this moldy devices. It might turn out that it's cheaper to buy new devices though. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180101/1692d88d/attachment.p7s>
> Like, "making updates, and all of a sudden, working setups stop working"? > > I *have* seen this, and usually because the vendor imported a newer version > of OpenSSH, which broke existing functionality :-) (like, Fortigate, which > all of a sudden did not authenticate users with DSA keys anymore, and no > mentioning of it in the release notes...).I don't doubt it. but between the openssh devs and the fortigate qa team, whose fault is this? :)
Hi, On Mon, Jan 01, 2018 at 09:19:22AM -0800, Peter Moody wrote:> > Like, "making updates, and all of a sudden, working setups stop working"? > > > > I *have* seen this, and usually because the vendor imported a newer version > > of OpenSSH, which broke existing functionality :-) (like, Fortigate, which > > all of a sudden did not authenticate users with DSA keys anymore, and no > > mentioning of it in the release notes...). > > I don't doubt it. > > but between the openssh devs and the fortigate qa team, whose fault is this? :)"Not mentioning the change in the release notes" - undoubtly the fortigate QA team. Supposedly vendors are supposed to import the latest and greatest software all the time (your words, paraprased). So, they did everything right here, except for the release notes... "Taking away functionality that results in unexpected extra work for the admin", well, whoever removed that functionality. gert -- now what should I write here... Gert Doering - Munich, Germany gert at greenie.muc.de
On 02/01/18 03:29, Michael Str?der wrote:> How high is the risk that this unmaintained device is added to > yet-another-bot-net in the Internet-of-shitty-devices or is used to > enter parts of your network.I think that is what is called a straw-man argument.? If a device can be compromised in the way you suggest, then I am sure it will be replaced, but it will be replaced because it needs to be, not because its management interface cannot be accessed via the latest openssh.? Disallowing use of openssh doesn't encourage people to throw away expensive gear, it encourages them to throw away new versions of openssh.