NetBSD Problem Report #50148
From martin@aprisoft.de Fri Aug 14 06:52:14 2015
Return-Path: <martin@aprisoft.de>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id AB397A65BA
for <gnats-bugs@gnats.NetBSD.org>; Fri, 14 Aug 2015 06:52:14 +0000 (UTC)
Message-Id: <20150814065203.8EE40ED0E4F@emmas.aprisoft.de>
Date: Fri, 14 Aug 2015 08:52:03 +0200 (CEST)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: new ssh does not work at all
X-Send-Pr-Version: 3.95
>Number: 50148
>Category: bin
>Synopsis: new ssh does not work at all
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 14 06:55:00 +0000 2015
>Closed-Date: Fri Nov 05 16:40:19 +0000 2021
>Last-Modified: Fri Nov 05 16:40:19 +0000 2021
>Originator: Martin Husemann
>Release: NetBSD 7.99.20
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD whoever-brings-the-night.aprisoft.de 7.99.20 NetBSD 7.99.20 (WHOEVER) #73: Thu Aug 13 14:15:41 CEST 2015 martin@seven-days-to-the-wolves.aprisoft.de:/ssd/src/sys/arch/sparc64/compile/WHOEVER sparc64
Architecture: sparc64
Machine: sparc64
>Description:
Since updating to the new ssh yesterday, I can't connect anywhere:
[~] martin@whoever-brings-the-night > ssh-add -l
1024 SHA256:AiT3qkunhC+FDKX5cBcnrJ30jSk3EFXiTMl+zGpfTJA martin@emmas.up-vision.de (RSA1)
1024 SHA256:MYiybxoMY5GAp5kVvBKqcBr8TMgHmNcJuvFMBWm20Vo /home/martin/.ssh/id_dsa (DSA)
[~] martin@whoever-brings-the-night > ssh -vvvv emmas
OpenSSH_7.0 NetBSD_Secure_Shell-20150812, OpenSSL 1.0.1p 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to emmas [192.168.111.42] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_rsa-cert type -1
debug1: identity file /home/martin/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.0 NetBSD_Secure_Shell-20150812
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk
debug1: match: OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk pat OpenSSH_5* compat 0x0c000000
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to emmas:22 as 'martin'
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA1 in file /home/martin/.ssh/known_hosts:10
debug3: load_hostkeys: loaded 1 keys from emmas
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts2"
debug3: record_hostkey: found key type RSA in file /home/martin/.ssh/known_hosts2:21
debug3: record_hostkey: found key type DSA in file /home/martin/.ssh/known_hosts2:22
debug3: load_hostkeys: loaded 2 keys from emmas
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa
debug1: mac 0x0, -1 -1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: mac 0x0, -1 -1
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:CRTjxxHqPvvLWp7XhLQPS1A9R3NNUVIKmQUPrp874uw
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA1 in file /home/martin/.ssh/known_hosts:10
debug3: load_hostkeys: loaded 1 keys from emmas
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts2"
debug3: record_hostkey: found key type RSA in file /home/martin/.ssh/known_hosts2:21
debug3: record_hostkey: found key type DSA in file /home/martin/.ssh/known_hosts2:22
debug3: load_hostkeys: loaded 2 keys from emmas
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts"
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts2"
debug3: record_hostkey: found key type RSA in file /home/martin/.ssh/known_hosts2:21
debug3: record_hostkey: found key type DSA in file /home/martin/.ssh/known_hosts2:22
debug3: load_hostkeys: loaded 2 keys from 192.168.111.42
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug1: Host 'emmas' is known and matches the RSA host key.
debug1: Found key in /home/martin/.ssh/known_hosts2:21
debug1: mac 0x0, -1 -1
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: mac 0xfffffffffd01a730, 1 0
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/martin/.ssh/id_dsa (0xfffffffffd038080),
debug2: key: /home/martin/.ssh/id_rsa (0x0),
debug2: key: /home/martin/.ssh/id_ecdsa (0x0),
debug2: key: /home/martin/.ssh/id_ed25519 (0x0),
debug1: mac 0xfffffffffd01a730, 1 0
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred kerberos-2@ssh.com,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
debug1: Trying private key: /home/martin/.ssh/id_rsa
debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/martin/.ssh/id_ecdsa
debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/martin/.ssh/id_ed25519
debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
>How-To-Repeat:
just try to ssh anywhere
>Fix:
n/a
>Release-Note:
>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 03:02:49 -0400
On Aug 14, 6:55am, martin@NetBSD.org (martin@NetBSD.org) wrote:
-- Subject: bin/50148: new ssh does not work at all
Mine says:
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b7:f5:a8:45:0c:03:2f:23:a5:c1:0e:d6:13:cb:8f:b3
debug1: Host '[127.0.0.1]:3022' is known and matches the RSA host key.
debug1: Found key in /Users/christos/.ssh/known_hosts:279
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/christos/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentication succeeded (publickey).
Authenticated to 127.0.0.1 ([127.0.0.1]:3022).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
X11 forwarding request failed on channel 0
Last login: Thu Aug 13 12:58:12 2015
NetBSD 7.99.20 (GENERIC) #19: Mon Aug 10 10:25:47 EDT 2015
From: John Nemeth <jnemeth@cue.bc.ca>
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 00:55:19 -0700
On Aug 14, 6:55am, martin@NetBSD.org wrote:
}
} >Number: 50148
} >Synopsis: new ssh does not work at all
} >Severity: critical
} >Priority: high
} >Responsible: bin-bug-people
} >State: open
} >Class: sw-bug
} >Arrival-Date: Fri Aug 14 06:55:00 +0000 2015
} >Originator: Martin Husemann
} >Release: NetBSD 7.99.20
} >Description:
}
} Since updating to the new ssh yesterday, I can't connect anywhere:
}
} [snip]
}
} debug1: Authentications that can continue: publickey
} debug3: start over, passed a different list publickey
} debug3: preferred kerberos-2@ssh.com,publickey,keyboard-interactive,password
} debug3: authmethod_lookup publickey
} debug3: remaining preferred: keyboard-interactive,password
} debug3: authmethod_is_enabled publickey
} debug1: Next authentication method: publickey
} debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
I think the issue is here. Reading the release announcement,
I see that they have been disabling/deprecating all sorts of things,
in the name of improving security (and intend to do more of this
in the next release). Apparently, they don't think backwards
compatibility is important.
>From the announcment:
-----
[...]
Changes since OpenSSH 6.9
=========================
This focus of this release is primarily to deprecate weak, legacy
and/or unsafe cryptography.
[...]
Potentially-incompatible Changes
--------------------------------
* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".
* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
-----
martin's issue is the third point.
On a slightly different, but similar issue, I sure hope we
have reversed the first point (SSHv1 being disabled at compile
time). I still use SSHv1 for connecting to older, but perfectly
functional routers. What do they expect me to do, switch to using
telnet, which would be the only alternative. "Replace the routers"
is not a good answer.
} debug1: Trying private key: /home/martin/.ssh/id_rsa
} debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
} debug1: Trying private key: /home/martin/.ssh/id_ecdsa
} debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
} debug1: Trying private key: /home/martin/.ssh/id_ed25519
} debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
} debug2: we did not send a packet, disable method
} debug1: No more authentication methods to try.
} Permission denied (publickey).
}
}-- End of excerpt from martin@NetBSD.org
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 09:34:08 +0200
Well, the question is: can you log in anywhere else but localhost?
Martin
From: Martin Husemann <martin@duskware.de>
To: John Nemeth <jnemeth@cue.bc.ca>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 09:58:12 +0200
On Fri, Aug 14, 2015 at 12:55:19AM -0700, John Nemeth wrote:
> * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
> by default at run-time. These may be re-enabled using the
> instructions at http://www.openssh.com/legacy.html
Indeed, this is the issue.
While the agent had an RSA1 key as well, that server only had the DSA
key as authorized_key.
So adding
PubkeyAcceptedKeyTypes +ssh-dss
to /etc/ssh/ssh_config worked around the issue for now.
Next step: regen some keys and update tons of authorized_keys files.
Stupid security facists!
This needs a VERY PROMINENT heads up somewhere.
Martin
From: Ryo ONODERA <ryo_on@yk.rim.or.jp>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 16:02:39 +0900 (JST)
Do you use DSA key to connect anywhere?
It seems that OpenSSH 7.0 does not use DSA key by default anymore.
You should have PubkeyAcceptedKeyTypes in ssh_config?
From: martin@NetBSD.org, Date: Fri, 14 Aug 2015 06:55:00 +0000 (UTC)
> 1024 SHA256:AiT3qkunhC+FDKX5cBcnrJ30jSk3EFXiTMl+zGpfTJA martin@emmas.up-vision.de (RSA1)
> 1024 SHA256:MYiybxoMY5GAp5kVvBKqcBr8TMgHmNcJuvFMBWm20Vo /home/martin/.ssh/id_dsa (DSA)
> [~] martin@whoever-brings-the-night > ssh -vvvv emmas
(snip)
> debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
> debug1: Trying private key: /home/martin/.ssh/id_rsa
> debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
> debug1: Trying private key: /home/martin/.ssh/id_ecdsa
> debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
> debug1: Trying private key: /home/martin/.ssh/id_ed25519
> debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
(snip)
--
Ryo ONODERA // ryo_on@yk.rim.or.jp
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB FD1B F404 27FA C7D1 15F3
From: <Paul_Koning@Dell.com>
To: <gnats-bugs@NetBSD.org>
Cc: <gnats-admin@netbsd.org>, <netbsd-bugs@netbsd.org>, <martin@NetBSD.org>
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 13:54:25 +0000
DQo+IE9uIEF1ZyAxNCwgMjAxNSwgYXQgMzozNSBBTSwgSm9obiBOZW1ldGggPGpuZW1ldGhAY3Vl
LmJjLmNhPiB3cm90ZToNCj4gDQo+ICAgICAgSSB0aGluayB0aGUgaXNzdWUgaXMgaGVyZS4gIFJl
YWRpbmcgdGhlIHJlbGVhc2UgYW5ub3VuY2VtZW50LA0KPiBJIHNlZSB0aGF0IHRoZXkgaGF2ZSBi
ZWVuIGRpc2FibGluZy9kZXByZWNhdGluZyBhbGwgc29ydHMgb2YgdGhpbmdzLA0KPiBpbiB0aGUg
bmFtZSBvZiBpbXByb3Zpbmcgc2VjdXJpdHkgKGFuZCBpbnRlbmQgdG8gZG8gbW9yZSBvZiB0aGlz
DQo+IGluIHRoZSBuZXh0IHJlbGVhc2UpLiAgQXBwYXJlbnRseSwgdGhleSBkb24ndCB0aGluayBi
YWNrd2FyZHMNCj4gY29tcGF0aWJpbGl0eSBpcyBpbXBvcnRhbnQuDQoNCkkgZG9u4oCZdCByZWFk
IGl0IHRoYXQgd2F5LiAgV2hhdCB0aGV5IGhhdmUgY29uY2x1ZGVkIGlzIHRoYXQgc2VjdXJpdHkg
Y29uY2VybnMgdHJ1bXAgYmFja3dhcmQgY29tcGF0aWJpbGl0eSDigJQgeW91IGRvIG5vdCB3YW50
IHRvIGJlIGJhY2t3YXJkIGNvbXBhdGlibGUgd2l0aCBhIHNlY3VyaXR5IGhvbGUuDQoNCglwYXVs
DQoNCg==
From: <Paul_Koning@Dell.com>
To: <gnats-bugs@NetBSD.org>
Cc: <gnats-admin@netbsd.org>, <netbsd-bugs@netbsd.org>, <martin@NetBSD.org>
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 15:56:45 +0000
DQo+IE9uIEF1ZyAxNCwgMjAxNSwgYXQgMzozNSBBTSwgSm9obiBOZW1ldGggPGpuZW1ldGhAY3Vl
LmJjLmNhPiB3cm90ZToNCj4gDQo+IC4uLg0KPiANCj4gICAgICBJIHRoaW5rIHRoZSBpc3N1ZSBp
cyBoZXJlLiAgUmVhZGluZyB0aGUgcmVsZWFzZSBhbm5vdW5jZW1lbnQsDQo+IEkgc2VlIHRoYXQg
dGhleSBoYXZlIGJlZW4gZGlzYWJsaW5nL2RlcHJlY2F0aW5nIGFsbCBzb3J0cyBvZiB0aGluZ3Ms
DQo+IGluIHRoZSBuYW1lIG9mIGltcHJvdmluZyBzZWN1cml0eSAoYW5kIGludGVuZCB0byBkbyBt
b3JlIG9mIHRoaXMNCj4gaW4gdGhlIG5leHQgcmVsZWFzZSkuICBBcHBhcmVudGx5LCB0aGV5IGRv
bid0IHRoaW5rIGJhY2t3YXJkcw0KPiBjb21wYXRpYmlsaXR5IGlzIGltcG9ydGFudC4NCg0KKEFw
b2xvZ2llcyBmb3IgdGhlIHVucmVhZGFibGUgZWFybGllciByZXBseSwgbXkgbWFpbCBzeXN0ZW0g
d2FzIGJlaW5nIHVuY29vcGVyYXRpdmUpDQoNCkkgZG9u4oCZdCB0aGluayB0aGF0IHRoZXkgZmVl
bCBiYWNrd2FyZCBjb21wYXRpYmlsaXR5IGlzIHVuaW1wb3J0YW50LiAgUmF0aGVyLCB0aGUgaXNz
dWUgaXMgYmFja3dhcmQgY29tcGF0aWJpbGl0eSB2cy4gZml4aW5nIHNlY3VyaXR5IGhvbGVzLiAg
SWYgYSBzZWN1cml0eSBob2xlIGlzIGNvbnNpZGVyZWQgc2lnbmlmaWNhbnQgYW5kIGZpeGluZyBp
dCByZXF1aXJlcyB0dXJuaW5nIHNvbWV0aGluZyBvZmYgdGhhdCB1c2VkIHRvIGJlIG9uLCB0aGlz
IGlzIGluZGVlZCBpbmNvbXBhdGlibGUsIGFuZCBzdWNoIGEgY2hhbmdlIGlzIHRoZSBjb3JyZWN0
IG9uZS4NCg0KSXQgbWlnaHQgYmUgZGViYXRhYmxlIHdoZXRoZXIgdGhlIGNoYW5nZSBpcyBqdXN0
aWZpZWQgaW4gdGhpcyBzcGVjaWZpYyBjYXNlLCBidXQgdGhlIGltcGxpY2F0aW9uIHRoYXQgdGhp
cyBpcyBjYXJlbGVzcyBzZWVtcyB3cm9uZyB0byBtZS4NCg0KCXBhdWwNCg==
From: pkoning@akdesign.dyndns.org (Paul Koning)
To: martin@netbsd.org, -cc@akdesign.dyndns.org,
netbsd-bugs@netbsd.org, -cc@akdesign.dyndns.org,
gnats-admin@netbsd.org, -cc@akdesign.dyndns.org,
gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 16:21:07 -0400
(Resending from another machine. Gnats is so broken it
can't understand quoted/printable mime content..)
On Aug 14, 2015, at 3:35 AM, John Nemeth <jnemeth@cue.bc.ca> wrote:
> ..
>
> I think the issue is here. Reading the release announcement,
> I see that they have been disabling/deprecating all sorts of things,
> in the name of improving security (and intend to do more of this
> in the next release). Apparently, they don't think backwards
> compatibility is important.
(Apologies for the unreadable earlier reply, my mail system was being uncooperative)
I do not think that they feel backward compatibility is unimportant. Rather, the issue is backward compatibility vs. fixing security holes. If a security hole is considered significant and fixing it requires turning something off that used to be on, this is indeed incompatible, and such a change is the correct one.
It might be debatable whether the change is justified in this specific case, but the implication that this is careless seems wrong to me.
paul
From: Thomas Klausner <wiz@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 22:39:11 +0200
What Paul tries to say here is:
(Apologies for the unreadable earlier reply, my mail system was being
uncooperative)
I don't think that they feel backward compatibility is unimportant.
Rather, the issue is backward compatibility vs. fixing security holes.
If a security hole is considered significant and fixing it requires
turning something off that used to be on, this is indeed incompatible,
and such a change is the correct one.
It might be debatable whether the change is justified in this specific
case, but the implication that this is careless seems wrong to me.
paul
State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Fri, 05 Nov 2021 16:40:19 +0000
State-Changed-Why:
Newer ssh versions need more compat entries in .ssh/config for
old hosts.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home