Bug#806962: No supported cipher blowfish breaks systems
-----BEGIN PGP SIGNED MESSAGE-----
Am Do den 3. Dez 2015 um 18:54 schrieb Colin Watson:
> > > You can always override global ssh_config at a per-user level. Your
> > > report is about accessing other systems from an upgraded ssh client,
> > > which means that it is irrelevant whether the remote side is root with
> > > pubkey authentication only or an ordinary user account.
> > Nope, not that. I have it overwritten in my local .ssh/config file but
> > it still complains about the error in global file.
> > Well, I access the local server from a local client on a system that
> > only allows passwordless root access vial localhost ssh.
> Oh, right, got it. In that case I suggest using "ssh -F ~/.ssh/config",
> since that will cause it to not even try to parse /etc/ssh/ssh_config;
> you can then use that to make the system's /etc/ssh/ssh_config
> consistent with the upgraded client. Does that help?
That might. I for myself found another way as I use puppet on all of my
boxes. But it took me hard in the first place.
> > > particularly since I do in fact strongly agree with
> > > disabling protocol 1!
> > Oh, you find "Protocol 2" in all my configurations. However, on client
> > side I still need to have protocol 1 as many embedded systems like
> > routers only have ssh1 support.
> Yes, I'm not sure of the right long-term approach for that. I rather
> suspect that OpenSSH upstream is hoping to act as a forcing function to
> get those systems to get their act together with long-overdue upgrades,
> which seems laudable but I don't know how successful it will be. As far
> as Debian is concerned, it may make sense to add a separate client-only
> binary package for those that really really need it, but I'll see how
> things look over time; it may be that protocol 1 support is entirely
> removed from the OpenSSH source tree in the near future,
I hope that too. I don't like to have protocoll 1 enabled. However, I
know how ignorant those companies are and I know that I have no real
influent to it.
> which would make it difficult to support such a thing longer-term.
That for sure.
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----