On 28/8/21 2:57 am, Peter Stuge wrote:> Damien Miller wrote: >> I'm expecting a big fight when I eventually push to remove ssh-dss, > FWIW I think that's long overdue, and understand your worry.I, too, understand your worry, but I also understand why there will be a lot of pushback against removing it. A lot of equipment, perfectly good equipment, expensive equipment, but old equipment requires it.? Most of it is behind a security appliance so there's no real risk is negligible if indeed it's not actually zero. Removing DSS removes management access to the equipment and the only reason is a pedantic complaint that DSS is trivially broken. Please don't break equipment over well-meaning pedantry.
On Mon, 30 Aug 2021, David Newall wrote:> A lot of equipment, perfectly good equipment, expensive equipment, but > old equipment requires it.? Most of it is behind a security appliance so > there's no real risk is negligible if indeed it's not actually zero. > > Removing DSS removes management access to the equipment and the only > reason is a pedantic complaint that DSS is trivially broken. > > Please don't break equipment over well-meaning pedantry.I bet this (once) expensive equipment still supports telnet, so nothing is being broken. -d
On 2021/08/30 11:43, David Newall wrote:> On 28/8/21 2:57 am, Peter Stuge wrote: > > Damien Miller wrote: > > > I'm expecting a big fight when I eventually push to remove ssh-dss, > > FWIW I think that's long overdue, and understand your worry. > > I, too, understand your worry, but I also understand why there will be a lot > of pushback against removing it. > > A lot of equipment, perfectly good equipment, expensive equipment, but old > equipment requires it.? Most of it is behind a security appliance so there's > no real risk is negligible if indeed it's not actually zero. > > Removing DSS removes management access to the equipment and the only reason > is a pedantic complaint that DSS is trivially broken. > > Please don't break equipment over well-meaning pedantry.Oh not this one again. OpenSSH already removed support for things used by some devices. It is annoying but the world didn't end - if you need to use some separate legacyssh binary (sometimes spelt 'p l i n k') to connect it acts as a good reminder that you're not really using a secure protocol for that connection.