NetBSD Problem Report #50148

From martin@aprisoft.de  Fri Aug 14 06:52:14 2015
Return-Path: <martin@aprisoft.de>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id AB397A65BA
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 14 Aug 2015 06:52:14 +0000 (UTC)
Message-Id: <20150814065203.8EE40ED0E4F@emmas.aprisoft.de>
Date: Fri, 14 Aug 2015 08:52:03 +0200 (CEST)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: new ssh does not work at all
X-Send-Pr-Version: 3.95

>Number:         50148
>Category:       bin
>Synopsis:       new ssh does not work at all
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 14 06:55:00 +0000 2015
>Last-Modified:  Fri Aug 14 20:40:00 +0000 2015
>Originator:     Martin Husemann
>Release:        NetBSD 7.99.20
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD whoever-brings-the-night.aprisoft.de 7.99.20 NetBSD 7.99.20 (WHOEVER) #73: Thu Aug 13 14:15:41 CEST 2015 martin@seven-days-to-the-wolves.aprisoft.de:/ssd/src/sys/arch/sparc64/compile/WHOEVER sparc64
Architecture: sparc64
Machine: sparc64
>Description:

Since updating to the new ssh yesterday, I can't connect anywhere:

[~] martin@whoever-brings-the-night > ssh-add -l
1024 SHA256:AiT3qkunhC+FDKX5cBcnrJ30jSk3EFXiTMl+zGpfTJA martin@emmas.up-vision.de (RSA1)
1024 SHA256:MYiybxoMY5GAp5kVvBKqcBr8TMgHmNcJuvFMBWm20Vo /home/martin/.ssh/id_dsa (DSA)
[~] martin@whoever-brings-the-night > ssh -vvvv emmas
OpenSSH_7.0 NetBSD_Secure_Shell-20150812, OpenSSL 1.0.1p 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to emmas [192.168.111.42] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_rsa-cert type -1
debug1: identity file /home/martin/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/martin/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.0 NetBSD_Secure_Shell-20150812
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk
debug1: match: OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk pat OpenSSH_5* compat 0x0c000000
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to emmas:22 as 'martin'
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA1 in file /home/martin/.ssh/known_hosts:10
debug3: load_hostkeys: loaded 1 keys from emmas
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts2"
debug3: record_hostkey: found key type RSA in file /home/martin/.ssh/known_hosts2:21
debug3: record_hostkey: found key type DSA in file /home/martin/.ssh/known_hosts2:22
debug3: load_hostkeys: loaded 2 keys from emmas
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa
debug1: mac 0x0, -1 -1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: mac 0x0, -1 -1
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:CRTjxxHqPvvLWp7XhLQPS1A9R3NNUVIKmQUPrp874uw
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA1 in file /home/martin/.ssh/known_hosts:10
debug3: load_hostkeys: loaded 1 keys from emmas
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts2"
debug3: record_hostkey: found key type RSA in file /home/martin/.ssh/known_hosts2:21
debug3: record_hostkey: found key type DSA in file /home/martin/.ssh/known_hosts2:22
debug3: load_hostkeys: loaded 2 keys from emmas
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts"
debug3: hostkeys_foreach: reading file "/home/martin/.ssh/known_hosts2"
debug3: record_hostkey: found key type RSA in file /home/martin/.ssh/known_hosts2:21
debug3: record_hostkey: found key type DSA in file /home/martin/.ssh/known_hosts2:22
debug3: load_hostkeys: loaded 2 keys from 192.168.111.42
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug1: Host 'emmas' is known and matches the RSA host key.
debug1: Found key in /home/martin/.ssh/known_hosts2:21
debug1: mac 0x0, -1 -1
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: mac 0xfffffffffd01a730, 1 0
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/martin/.ssh/id_dsa (0xfffffffffd038080),
debug2: key: /home/martin/.ssh/id_rsa (0x0),
debug2: key: /home/martin/.ssh/id_ecdsa (0x0),
debug2: key: /home/martin/.ssh/id_ed25519 (0x0),
debug1: mac 0xfffffffffd01a730, 1 0
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred kerberos-2@ssh.com,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
debug1: Trying private key: /home/martin/.ssh/id_rsa
debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/martin/.ssh/id_ecdsa
debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/martin/.ssh/id_ed25519
debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


>How-To-Repeat:
just try to ssh anywhere

>Fix:
n/a

>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 03:02:49 -0400

 On Aug 14,  6:55am, martin@NetBSD.org (martin@NetBSD.org) wrote:
 -- Subject: bin/50148: new ssh does not work at all


 Mine says:

 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none
 debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 debug1: Server host key: RSA b7:f5:a8:45:0c:03:2f:23:a5:c1:0e:d6:13:cb:8f:b3
 debug1: Host '[127.0.0.1]:3022' is known and matches the RSA host key.
 debug1: Found key in /Users/christos/.ssh/known_hosts:279
 debug1: ssh_rsa_verify: signature correct
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: expecting SSH2_MSG_NEWKEYS
 debug1: SSH2_MSG_NEWKEYS received
 debug1: Roaming not allowed by server
 debug1: SSH2_MSG_SERVICE_REQUEST sent
 debug1: SSH2_MSG_SERVICE_ACCEPT received
 debug1: Authentications that can continue: publickey,password,keyboard-interactive
 debug1: Next authentication method: publickey
 debug1: Offering RSA public key: /Users/christos/.ssh/id_rsa
 debug1: Server accepts key: pkalg ssh-rsa blen 149
 debug1: Authentication succeeded (publickey).
 Authenticated to 127.0.0.1 ([127.0.0.1]:3022).
 debug1: channel 0: new [client-session]
 debug1: Requesting no-more-sessions@openssh.com
 debug1: Entering interactive session.
 debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
 Warning: untrusted X11 forwarding setup failed: xauth key data not generated
 debug1: Requesting X11 forwarding with authentication spoofing.
 debug1: Requesting authentication agent forwarding.
 debug1: Sending environment.
 X11 forwarding request failed on channel 0
 Last login: Thu Aug 13 12:58:12 2015
 NetBSD 7.99.20 (GENERIC) #19: Mon Aug 10 10:25:47 EDT 2015

From: John Nemeth <jnemeth@cue.bc.ca>
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 00:55:19 -0700

 On Aug 14,  6:55am, martin@NetBSD.org wrote:
 }
 } >Number:         50148
 } >Synopsis:       new ssh does not work at all
 } >Severity:       critical
 } >Priority:       high
 } >Responsible:    bin-bug-people
 } >State:          open
 } >Class:          sw-bug
 } >Arrival-Date:   Fri Aug 14 06:55:00 +0000 2015
 } >Originator:     Martin Husemann
 } >Release:        NetBSD 7.99.20
 } >Description:
 } 
 } Since updating to the new ssh yesterday, I can't connect anywhere:
 } 
 } [snip]
 } 
 } debug1: Authentications that can continue: publickey
 } debug3: start over, passed a different list publickey
 } debug3: preferred kerberos-2@ssh.com,publickey,keyboard-interactive,password
 } debug3: authmethod_lookup publickey
 } debug3: remaining preferred: keyboard-interactive,password
 } debug3: authmethod_is_enabled publickey
 } debug1: Next authentication method: publickey
 } debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes

      I think the issue is here.  Reading the release announcement,
 I see that they have been disabling/deprecating all sorts of things,
 in the name of improving security (and intend to do more of this
 in the next release).  Apparently, they don't think backwards
 compatibility is important.

 >From the announcment:

 -----

 [...]
 Changes since OpenSSH 6.9
 =========================

 This focus of this release is primarily to deprecate weak, legacy
 and/or unsafe cryptography.
 [...]
 Potentially-incompatible Changes
 --------------------------------

  * Support for the legacy SSH version 1 protocol is disabled by
    default at compile time.

  * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
    is disabled by default at run-time. It may be re-enabled using
    the instructions at http://www.openssh.com/legacy.html

  * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
    by default at run-time. These may be re-enabled using the
    instructions at http://www.openssh.com/legacy.html

  * Support for the legacy v00 cert format has been removed.

  * The default for the sshd_config(5) PermitRootLogin option has
    changed from "yes" to "prohibit-password".

  * PermitRootLogin=without-password/prohibit-password now bans all
    interactive authentication methods, allowing only public-key,
    hostbased and GSSAPI authentication (previously it permitted
    keyboard-interactive and password-less authentication if those
    were enabled).

 -----

 martin's issue is the third point.

      On a slightly different, but similar issue, I sure hope we
 have reversed the first point (SSHv1 being disabled at compile
 time).  I still use SSHv1 for connecting to older, but perfectly
 functional routers.  What do they expect me to do, switch to using
 telnet, which would be the only alternative.  "Replace the routers"
 is not a good answer.

 } debug1: Trying private key: /home/martin/.ssh/id_rsa
 } debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
 } debug1: Trying private key: /home/martin/.ssh/id_ecdsa
 } debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
 } debug1: Trying private key: /home/martin/.ssh/id_ed25519
 } debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
 } debug2: we did not send a packet, disable method
 } debug1: No more authentication methods to try.
 } Permission denied (publickey).
 } 
 }-- End of excerpt from martin@NetBSD.org

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 09:34:08 +0200

 Well, the question is: can you log in anywhere else but localhost?

 Martin

From: Martin Husemann <martin@duskware.de>
To: John Nemeth <jnemeth@cue.bc.ca>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 09:58:12 +0200

 On Fri, Aug 14, 2015 at 12:55:19AM -0700, John Nemeth wrote:
 >  * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
 >    by default at run-time. These may be re-enabled using the
 >    instructions at http://www.openssh.com/legacy.html

 Indeed, this is the issue.

 While the agent had an RSA1 key as well, that server only had the DSA
 key as authorized_key.

 So adding 

 PubkeyAcceptedKeyTypes  +ssh-dss

 to /etc/ssh/ssh_config worked around the issue for now.
 Next step: regen some keys and update tons of authorized_keys files.

 Stupid security facists!
 This needs a VERY PROMINENT heads up somewhere.

 Martin

From: Ryo ONODERA <ryo_on@yk.rim.or.jp>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 16:02:39 +0900 (JST)

 Do you use DSA key to connect anywhere?
 It seems that OpenSSH 7.0 does not use DSA key by default anymore.

 You should have PubkeyAcceptedKeyTypes in ssh_config?


 From: martin@NetBSD.org, Date: Fri, 14 Aug 2015 06:55:00 +0000 (UTC)

 > 1024 SHA256:AiT3qkunhC+FDKX5cBcnrJ30jSk3EFXiTMl+zGpfTJA martin@emmas.up-vision.de (RSA1)
 > 1024 SHA256:MYiybxoMY5GAp5kVvBKqcBr8TMgHmNcJuvFMBWm20Vo /home/martin/.ssh/id_dsa (DSA)
 > [~] martin@whoever-brings-the-night > ssh -vvvv emmas
 (snip)
 > debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
 > debug1: Trying private key: /home/martin/.ssh/id_rsa
 > debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
 > debug1: Trying private key: /home/martin/.ssh/id_ecdsa
 > debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
 > debug1: Trying private key: /home/martin/.ssh/id_ed25519
 > debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
 (snip)

 --
 Ryo ONODERA // ryo_on@yk.rim.or.jp
 PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

From: <Paul_Koning@Dell.com>
To: <gnats-bugs@NetBSD.org>
Cc: <gnats-admin@netbsd.org>, <netbsd-bugs@netbsd.org>, <martin@NetBSD.org>
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 13:54:25 +0000

 DQo+IE9uIEF1ZyAxNCwgMjAxNSwgYXQgMzozNSBBTSwgSm9obiBOZW1ldGggPGpuZW1ldGhAY3Vl
 LmJjLmNhPiB3cm90ZToNCj4gDQo+ICAgICAgSSB0aGluayB0aGUgaXNzdWUgaXMgaGVyZS4gIFJl
 YWRpbmcgdGhlIHJlbGVhc2UgYW5ub3VuY2VtZW50LA0KPiBJIHNlZSB0aGF0IHRoZXkgaGF2ZSBi
 ZWVuIGRpc2FibGluZy9kZXByZWNhdGluZyBhbGwgc29ydHMgb2YgdGhpbmdzLA0KPiBpbiB0aGUg
 bmFtZSBvZiBpbXByb3Zpbmcgc2VjdXJpdHkgKGFuZCBpbnRlbmQgdG8gZG8gbW9yZSBvZiB0aGlz
 DQo+IGluIHRoZSBuZXh0IHJlbGVhc2UpLiAgQXBwYXJlbnRseSwgdGhleSBkb24ndCB0aGluayBi
 YWNrd2FyZHMNCj4gY29tcGF0aWJpbGl0eSBpcyBpbXBvcnRhbnQuDQoNCkkgZG9u4oCZdCByZWFk
 IGl0IHRoYXQgd2F5LiAgV2hhdCB0aGV5IGhhdmUgY29uY2x1ZGVkIGlzIHRoYXQgc2VjdXJpdHkg
 Y29uY2VybnMgdHJ1bXAgYmFja3dhcmQgY29tcGF0aWJpbGl0eSDigJQgeW91IGRvIG5vdCB3YW50
 IHRvIGJlIGJhY2t3YXJkIGNvbXBhdGlibGUgd2l0aCBhIHNlY3VyaXR5IGhvbGUuDQoNCglwYXVs
 DQoNCg==

From: <Paul_Koning@Dell.com>
To: <gnats-bugs@NetBSD.org>
Cc: <gnats-admin@netbsd.org>, <netbsd-bugs@netbsd.org>, <martin@NetBSD.org>
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 15:56:45 +0000

 DQo+IE9uIEF1ZyAxNCwgMjAxNSwgYXQgMzozNSBBTSwgSm9obiBOZW1ldGggPGpuZW1ldGhAY3Vl
 LmJjLmNhPiB3cm90ZToNCj4gDQo+IC4uLg0KPiANCj4gICAgICBJIHRoaW5rIHRoZSBpc3N1ZSBp
 cyBoZXJlLiAgUmVhZGluZyB0aGUgcmVsZWFzZSBhbm5vdW5jZW1lbnQsDQo+IEkgc2VlIHRoYXQg
 dGhleSBoYXZlIGJlZW4gZGlzYWJsaW5nL2RlcHJlY2F0aW5nIGFsbCBzb3J0cyBvZiB0aGluZ3Ms
 DQo+IGluIHRoZSBuYW1lIG9mIGltcHJvdmluZyBzZWN1cml0eSAoYW5kIGludGVuZCB0byBkbyBt
 b3JlIG9mIHRoaXMNCj4gaW4gdGhlIG5leHQgcmVsZWFzZSkuICBBcHBhcmVudGx5LCB0aGV5IGRv
 bid0IHRoaW5rIGJhY2t3YXJkcw0KPiBjb21wYXRpYmlsaXR5IGlzIGltcG9ydGFudC4NCg0KKEFw
 b2xvZ2llcyBmb3IgdGhlIHVucmVhZGFibGUgZWFybGllciByZXBseSwgbXkgbWFpbCBzeXN0ZW0g
 d2FzIGJlaW5nIHVuY29vcGVyYXRpdmUpDQoNCkkgZG9u4oCZdCB0aGluayB0aGF0IHRoZXkgZmVl
 bCBiYWNrd2FyZCBjb21wYXRpYmlsaXR5IGlzIHVuaW1wb3J0YW50LiAgUmF0aGVyLCB0aGUgaXNz
 dWUgaXMgYmFja3dhcmQgY29tcGF0aWJpbGl0eSB2cy4gZml4aW5nIHNlY3VyaXR5IGhvbGVzLiAg
 SWYgYSBzZWN1cml0eSBob2xlIGlzIGNvbnNpZGVyZWQgc2lnbmlmaWNhbnQgYW5kIGZpeGluZyBp
 dCByZXF1aXJlcyB0dXJuaW5nIHNvbWV0aGluZyBvZmYgdGhhdCB1c2VkIHRvIGJlIG9uLCB0aGlz
 IGlzIGluZGVlZCBpbmNvbXBhdGlibGUsIGFuZCBzdWNoIGEgY2hhbmdlIGlzIHRoZSBjb3JyZWN0
 IG9uZS4NCg0KSXQgbWlnaHQgYmUgZGViYXRhYmxlIHdoZXRoZXIgdGhlIGNoYW5nZSBpcyBqdXN0
 aWZpZWQgaW4gdGhpcyBzcGVjaWZpYyBjYXNlLCBidXQgdGhlIGltcGxpY2F0aW9uIHRoYXQgdGhp
 cyBpcyBjYXJlbGVzcyBzZWVtcyB3cm9uZyB0byBtZS4NCg0KCXBhdWwNCg==

From: pkoning@akdesign.dyndns.org (Paul Koning)
To: martin@netbsd.org, -cc@akdesign.dyndns.org,
	netbsd-bugs@netbsd.org, -cc@akdesign.dyndns.org,
	gnats-admin@netbsd.org, -cc@akdesign.dyndns.org,
	gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 16:21:07 -0400

 (Resending from another machine.  Gnats is so broken it
 can't understand quoted/printable mime content..)


 On Aug 14, 2015, at 3:35 AM, John Nemeth <jnemeth@cue.bc.ca> wrote:

 > ..
 > 
 >    I think the issue is here.  Reading the release announcement,
 > I see that they have been disabling/deprecating all sorts of things,
 > in the name of improving security (and intend to do more of this
 > in the next release).  Apparently, they don't think backwards
 > compatibility is important.

 (Apologies for the unreadable earlier reply, my mail system was being uncooperative)

 I do not think that they feel backward compatibility is unimportant.  Rather, the issue is backward compatibility vs. fixing security holes.  If a security hole is considered significant and fixing it requires turning something off that used to be on, this is indeed incompatible, and such a change is the correct one.

 It might be debatable whether the change is justified in this specific case, but the implication that this is careless seems wrong to me.

 	paul

From: Thomas Klausner <wiz@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 22:39:11 +0200

 What Paul tries to say here is:

 (Apologies for the unreadable earlier reply, my mail system was being
 uncooperative)

 I don't think that they feel backward compatibility is unimportant.
 Rather, the issue is backward compatibility vs. fixing security holes.
 If a security hole is considered significant and fixing it requires
 turning something off that used to be on, this is indeed incompatible,
 and such a change is the correct one.

 It might be debatable whether the change is justified in this specific
 case, but the implication that this is careless seems wrong to me.
 	paul

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.