On 2017-12-13 19:37:44 +0000, David Froble said:
> I find the practice of forcing others to "do as they are told" to be
> rather arrogant. YMMD.
>
> There are of course some things where an "intrusion" can be very bad.
> We all must be aware of such, and maintain eternal vigilance. I can
> accept such.
>
> There are situations where it really isn't much of an issue. I'm not
> too worried if someone can steal a few gaskets for a lawn mower. In
> such situations, much more harm is done if some production activity
> suddenly gets broken. Much more harm.
>
> In the case of the SSH problem, it would have been reasonable, from my
> perspective, to document the problems with the older stuff, while still
> allowing their use
How much advanced notice would you like? With OpenSSH, there was
about a year and a half for the migration window. In the case of this
particular OpenSSH key exchange issue, the notification that this key
exchange was being deprecated was propagated in July of 2015. A path
to re-enable the deprecated key exchange was provided with the
then-next OpenSSH V7.0 release, too.
http://www.openssh.com/legacy.html As part of the migration, better
alternatives (including Curve25519) had been made available and made
default (when both ends support it) in OpenSSH since the release back
at the beginning of 2014. NIST also provided vendor guidance back in
early 2015 with recommendations for longer key-exchange lengths.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
ssh and TLS both support connection negotiation, allowing clients and
servers to negotiate support within the connection including the key
exchange and the cipher selected, meaning that there's a both
transition window and there's no ordering required for the upgrades.
Clients and servers can be upgraded independently, and connectivity can
be maintained. In this and various other cases, deprecated key
exchanges and deprecated ciphers can all be manually re-enabled after
they're no longer available by default.
It then takes a while for the upgrades to cycle through the
distribution channels and the installed bases of the various platforms,
certainly. The OpenSSH V7.0 release arrived in August of 2015, and
it's only just starting to show up at various sites such as Joukj's.
OpenSSH 6.9 was the one that disabled CBC ciphers by default. and
notice of that was provided earlier.
End-users aren't usually reading these details, but vendors definitely
need to be at least reading the notifications and release notes from
the major related products. We're not operating OpenVMS systems in
isolation. We're also increasingly forced into faster patch cycles,
particularly due to vulnerabilities. But in this case, there was
notice.
This is why I've suggested that developers and operations folks working
with security-related requirements get themselves onto security-related
notification lists.
Sitting on older protocol implementations works. Until it doesn't.
Or until your servers are newly featured in
https://haveibeenpwned.com
or elsewhere, or worse. Given its origins, the VSI IP appears very
likely to do better here than the HPE TCP and ssh implementations, too.
But this treadmill does not and will not end. The best of the
vendors will make the treadmill easier to stay on. With frameworks
that abstract otherwise incompatible differences, easier and faster
patching, and other mechanisms and approaches of which I've previously
ranted...
From
https://www.openssh.com/releasenotes.html
> ...
> OpenSSH 6.9/6.9p1 (2015-07-01)
> OpenSSH 6.9 has just been released. It will be available from the
> mirrors listed at
http://www.openssh.com/ shortly.
>
> OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
> implementation and includes sftp client and server support.
>
> Once again, we would like to thank the OpenSSH community for their
> continued support of the project, especially those who contributed
> code or patches, reported bugs, tested snapshots or donated to the
> project. More information on donations may be found at:
>
http://www.openssh.com/donations.html
>
> Future Deprecation Notice
> =========================
>
> The 7.0 release of OpenSSH, due for release in late July, will
> deprecate several features, some of which may affect compatibility
> or existing configurations. The intended changes are as follows:
>
> * The default for the sshd_config(5) PermitRootLogin option will
> change from "yes" to "no".
>
> * Support for the legacy version 1.x of the SSH protocol will be
> disabled at compile time by default.
>
> * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
> will be run-time disabled by default.
>
> * Support for ssh-dss, ssh-dss-cert-* host and user keys will be
> run-time disabled by default.
>
> * Support for the legacy v00 cert format will be removed
>
> * Several ciphers will be disabled by default: blowfish-cbc,
> cast128-cbc, all arcfour variants and the rijndael-cbc aliases
> for AES
>
> * Refusing all RSA keys smaller than 1024 bits (the current minimum
> is 768 bits)
> ...