On 30 January 2017 at 14:24, heasley <heas at shrubbery.net> wrote:> Mon, Jan 30, 2017 at 01:56:03PM -0800, jungle Boogie: >> On 30 January 2017 at 11:52, heasley <heas at shrubbery.net> wrote: >> > Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Sm?rgrav: >> >> heasley <heas at shrubbery.net> writes: >> >> > So, what is the BCP to support a v1 client for outbound connections on fbsd >> >> > 11? Hopefully one that I do not need to maintain by building a special ssh >> >> > from ports. Is there a pkg that I'm missing? >> >> >> >> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 12 >> >> do not, and neither does the openssh-portable port. I'm afraid you will >> >> have to find some other SSH client. >> > >> > That is sad; I doubt that I am the only one who would need this - there >> > are millions of Cisco, HP, and etc network devices that folks must continue >> > to access but will never receive new firmware with sshv2. It takes a long >> > time for some equipment to transition to the recycle bin - even after >> > vendor EOLs. >> >> Well you have about 7 months until it's deprecated from openssh. >> What's wrong with continuing to use openSSH 7.4 post sshv1 >> deprecation? > > whats wrong with providing a 7.4+v1 port for everyone to use?What will happen when 7.4 gets a vulnerability, then? I don't think you or I will be patching it (or anyone else) and therefore, the port/pkg will be knowingly vulnerable. Why do we want that? -- ------- inum: 883510009027723 sip: jungleboogie at sip2sip.info
Am 30.01.2017 um 14:52 schrieb jungle Boogie <jungleboogie0 at gmail.com>:> >> On 30 January 2017 at 14:24, heasley <heas at shrubbery.net> wrote: >> Mon, Jan 30, 2017 at 01:56:03PM -0800, jungle Boogie: >>>> On 30 January 2017 at 11:52, heasley <heas at shrubbery.net> wrote: >>>> Mon, Jan 30, 2017 at 01:57:32PM +0100, Dag-Erling Sm?rgrav: >>>>> heasley <heas at shrubbery.net> writes: >>>>>> So, what is the BCP to support a v1 client for outbound connections on fbsd >>>>>> 11? Hopefully one that I do not need to maintain by building a special ssh >>>>>> from ports. Is there a pkg that I'm missing? >>>>> >>>>> FreeBSD 10 supports SSHv1 and will continue to do so. FreeBSD 11 and 12 >>>>> do not, and neither does the openssh-portable port. I'm afraid you will >>>>> have to find some other SSH client. >>>> >>>> That is sad; I doubt that I am the only one who would need this - there >>>> are millions of Cisco, HP, and etc network devices that folks must continue >>>> to access but will never receive new firmware with sshv2. It takes a long >>>> time for some equipment to transition to the recycle bin - even after >>>> vendor EOLs. >>> >>> Well you have about 7 months until it's deprecated from openssh. >>> What's wrong with continuing to use openSSH 7.4 post sshv1 >>> deprecation? >> >> whats wrong with providing a 7.4+v1 port for everyone to use? > > What will happen when 7.4 gets a vulnerability, then? I don't think > you or I will be patching it (or anyone else) and therefore, the > port/pkg will be knowingly vulnerable. > > Why do we want that?So you ate advocating telnet? Such a client is likely better still than telnet, which is the only alternative. Without a pkg, folks are forced to maintain it themselves. Which is more likely to receive less attention between now and EoS for v1? Dont make choices for or impose your rhetoric upon others, provide them the tools to make their choices.> > -- > ------- > inum: 883510009027723 > sip: jungleboogie at sip2sip.info
On 01/30/2017 09:36 PM, Heasley wrote:>>> whats wrong with providing a 7.4+v1 port for everyone to use? >> >> What will happen when 7.4 gets a vulnerability, then? I don't think >> you or I will be patching it (or anyone else) and therefore, the >> port/pkg will be knowingly vulnerable. >> >> Why do we want that? > > So you ate advocating telnet? Such a client is likely better still than telnet, which is the only alternative. >No, I've explained what I've advocated: compile 7.4 yourself and use if for your own needs. Having FreeBSD keep deprecated software around doesn't seem practical to me, and it seems this is also what FreeBSD security also believes. Sorry that you're working with legacy hardware.> Without a pkg, folks are forced to maintain it themselves. Which is more likely to receive less attention between now and EoS for v1? > > Dont make choices for or impose your rhetoric upon others, provide them the tools to make their choices. >Fact: I'm not imposing anything as I have no say in FreeBSD's security at all. FWIW, in May 2016 it the openssh team announced their intentions to disable ssh v1: http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-May/035069.html It also looks like they pushed the deprecation from June to August as well. Looks like ssh v1 was disabled at compile time in March 2015: http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033701.html So unsurprisingly, it looks like they've communicated the desire to remove sshv1 for awhile.