[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#806962: No supported cipher blowfish breaks systems

Hash: SHA512

Hi Colin,

Am Do den  3. Dez 2015 um 18:54 schrieb Colin Watson:
> > > You can always override global ssh_config at a per-user level.  Your
> > > report is about accessing other systems from an upgraded ssh client,
> > > which means that it is irrelevant whether the remote side is root with
> > > pubkey authentication only or an ordinary user account.
> > 
> > Nope, not that. I have it overwritten in my local .ssh/config file but
> > it still complains about the error in global file.
> > 
> > Well, I access the local server from a local client on a system that
> > only allows passwordless root access vial localhost ssh.
> Oh, right, got it.  In that case I suggest using "ssh -F ~/.ssh/config",
> since that will cause it to not even try to parse /etc/ssh/ssh_config;
> you can then use that to make the system's /etc/ssh/ssh_config
> consistent with the upgraded client.  Does that help?

That might. I for myself found another way as I use puppet on all of my
boxes. But it took me hard in the first place.

> > > particularly since I do in fact strongly agree with
> > > disabling protocol 1!
> > 
> > Oh, you find "Protocol 2" in all my configurations. However, on client
> > side I still need to have protocol 1 as many embedded systems like
> > routers only have ssh1 support.
> Yes, I'm not sure of the right long-term approach for that.  I rather
> suspect that OpenSSH upstream is hoping to act as a forcing function to
> get those systems to get their act together with long-overdue upgrades,
> which seems laudable but I don't know how successful it will be.  As far
> as Debian is concerned, it may make sense to add a separate client-only
> binary package for those that really really need it, but I'll see how
> things look over time; it may be that protocol 1 support is entirely
> removed from the OpenSSH source tree in the near future,

I hope that too. I don't like to have protocoll 1 enabled. However, I
know how ignorant those companies are and I know that I have no real
influent to it.

> which would make it difficult to support such a thing longer-term.

That for sure.

- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
Version: GnuPG v1


Reply to: