Bug#806962: No supported cipher blowfish breaks systems
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Colin,
Am Do den 3. Dez 2015 um 18:54 schrieb Colin Watson:
> > > You can always override global ssh_config at a per-user level. Your
> > > report is about accessing other systems from an upgraded ssh client,
> > > which means that it is irrelevant whether the remote side is root with
> > > pubkey authentication only or an ordinary user account.
> >
> > Nope, not that. I have it overwritten in my local .ssh/config file but
> > it still complains about the error in global file.
> >
> > Well, I access the local server from a local client on a system that
> > only allows passwordless root access vial localhost ssh.
>
> Oh, right, got it. In that case I suggest using "ssh -F ~/.ssh/config",
> since that will cause it to not even try to parse /etc/ssh/ssh_config;
> you can then use that to make the system's /etc/ssh/ssh_config
> consistent with the upgraded client. Does that help?
That might. I for myself found another way as I use puppet on all of my
boxes. But it took me hard in the first place.
> > > particularly since I do in fact strongly agree with
> > > disabling protocol 1!
> >
> > Oh, you find "Protocol 2" in all my configurations. However, on client
> > side I still need to have protocol 1 as many embedded systems like
> > routers only have ssh1 support.
>
> Yes, I'm not sure of the right long-term approach for that. I rather
> suspect that OpenSSH upstream is hoping to act as a forcing function to
> get those systems to get their act together with long-overdue upgrades,
> which seems laudable but I don't know how successful it will be. As far
> as Debian is concerned, it may make sense to add a separate client-only
> binary package for those that really really need it, but I'll see how
> things look over time; it may be that protocol 1 support is entirely
> removed from the OpenSSH source tree in the near future,
I hope that too. I don't like to have protocoll 1 enabled. However, I
know how ignorant those companies are and I know that I have no real
influent to it.
> which would make it difficult to support such a thing longer-term.
That for sure.
Gruß
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJWYXhpAAoJEKZ8CrGAGfast6EL/29suMdXNKLmWT6GU2IcprSB
xIFF1lANJexOp7nD3g0LvKZ6UhdaBHmGahDYtXC0dCco4Q5xagk93nRey0WvFItV
BQ44pyWDJyRSEU4kFdJYKk0u4TS8bpOAfupR6Va9wZtUYxiaXehhP20f+zK6Rz06
9O86m5Afej8lFGYSyAkEJ4w1hQF4Pkyf/zMVxtnJDCU15CJDEXe+OMnllNJtjqFW
AxOAxCmlIlVPDKf+S3588SvPFs6BrU6cKQAydBarhcwSAMlVHzhB0qKzWdaxtMJe
3lRwhdTkm6QVhIm5psaPl5zzc9Cvgemrq3M6ncQSSX7zncmlBvdrfJiae6apVw+W
Q2fnqK19zg8xdpaDsCGi3I529eD034llVWGnlqXpDgnGDAIaOpCRpwfF2NwbjGpp
NSGV27jn1e2cdgMBSUij5ak7g2Md0miZnxEv8+zeztOH1MXwQqFZ1rX13oulfVcg
Kaq8ss0XJifhYk1jWCUTyuThtEdp66svgyRkBU6DUQ==
=IY7K
-----END PGP SIGNATURE-----
Reply to: