|
|
Subscribe / Log in / New account

OpenSSH announces DSA-removal timeline

OpenSSH announces DSA-removal timeline

Posted Jan 13, 2024 14:33 UTC (Sat) by pizza (subscriber, #46)
In reply to: OpenSSH announces DSA-removal timeline by tialaramex
Parent article: OpenSSH announces DSA-removal timeline

> The browsers expect TLS 1.2, defined in RFC5246 in 2008

*shrug* So I was off by one iteration. Big whoop.

(And just because something was defined on a certain date doesn't imply any sort of schedule for implementations to be widely available! Case in point: IPv6...)

Meanwhile. Not everything is a general-purpose system with freely upgradeable (client &| server) software, there is a very real, non-trivial cost associated with replacing said equipment, and most of us don't have unlimited budgets.

(My "new" 10GbE PoE switch was discontinued by its manufacturer in _2015_. Current-model replacements run at least $1000 for tier-2 gear [2]. It's also not internet-facing; in order for the switch to be a security risk my network would need to have already been completely compromised!)

[1] released in 2011
[2] eg Linksys or Netgear as opposed to, say, top shelf Dell/HPE/Cisco or the syllable soup brands found on Aliexpress)

to post comments

OpenSSH announces DSA-removal timeline

Posted Jan 13, 2024 15:28 UTC (Sat) by pizza (subscriber, #46) [Link] (1 responses)

> My "new" 10GbE PoE switch was discontinued by its manufacturer in _2015_.

Apparently this particular unit is running OpenSSH 5.8, and current OpenSSH 9.x (at least as shipped by Fedora 38+) refuses to negotiate a session key [1] I haven't needed to get into this thing for the better part of a year, when I expanded one of the VLANs. I'm glad I found out about this problem now, when I have physical access to connect to the switch's serial console and no emergency going on.

[1] Can't negotiate a mutually perceptible host key algorithm. I _might_ be able to resolve this with a config change on the switch. But that requires being able to log in first.

OpenSSH announces DSA-removal timeline

Posted Jan 14, 2024 8:57 UTC (Sun) by cjwatson (subscriber, #7322) [Link]

That sounds like the sort of thing you can probably deal with using client options. Have you tried the various things on https://www.openssh.com/legacy.html ?

OpenSSH announces DSA-removal timeline

Posted Jan 14, 2024 17:52 UTC (Sun) by vadim (subscriber, #35271) [Link] (2 responses)

> Current-model replacements run at least $1000 for tier-2 gear [2]

Try something from Mikrotik perhaps? They have plenty 10G stuff, and some stuff that goes higher, and it's very affordable.

The UI is definitely for technically minded people, but the software gets very regular updates and is the same for all their modern stuff.

OpenSSH announces DSA-removal timeline

Posted Jan 14, 2024 19:40 UTC (Sun) by pizza (subscriber, #46) [Link] (1 responses)

> Try something from Mikrotik perhaps? They have plenty 10G stuff,

I actually have two mostly-SFP 10GbE Microtik switches in use, and I'm quite pleased with them.

Unfortunately, PoE is a big cost driver; a Microtik 48-port PoE with 10G SFP ports will still run about $900 shipped.

(...Why SFP? Because fiber lets me not worry about lightning strikes. Or care about cable run length/bandwidth limitations..)

OpenSSH announces DSA-removal timeline

Posted Jan 14, 2024 20:42 UTC (Sun) by vadim (subscriber, #35271) [Link]

Do you actually need 48 ports of PoE though?

If this is for an enterprise environment, then $900 isn't that much money. If it's for home use, you probably don't have 48 devices that need PoE there. Since it's a switch you can just have two of them.

OpenSSH announces DSA-removal timeline

Posted Jan 14, 2024 20:52 UTC (Sun) by zdzichu (subscriber, #17118) [Link] (4 responses)

Ah yes. I've bought a TP-Link TL-SG2216 switch with 5 year warranty for home. Managed – over HTTPS and SSH. During the last year of the warranty, I've noticed it only supported TLS1.0 with laughable ciphers:

Preferred TLSv1.0  128 bits  RC4-SHA                      
Accepted  TLSv1.0  128 bits  RC4-MD5                      
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.0  56 bits   TLS_RSA_WITH_DES_CBC_SHA

I've noticed because web browsers disabled TLS < 1.2 some time ago (and this is good). I've opened a support issue with TP-Link, after all the feature (which was a selling point to me) stopped working. After a longish email thread explaining that I would like the feature to work again(*) my issue got closed, because: 1) my 5 year warranty just ended; 2) I should have opened a ticket with the reseller, not TP-Link themselves. :(

* - getting the HTTPS fixed would require TP-Link to implement TLS 1.2 in their firmware. Which may be impossible, but was not business-sensible for sure. They discontinued the switch in the meantime, despite having units covered by 5 year warranty in the field.

Oh, and the second management option, SSH? Since the beginning I had to use this invocation:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=aes256-cbc -oHostKeyAlgorithms=+ssh-dss …

Network hardware vendors are the worst.

OpenSSH announces DSA-removal timeline

Posted Jan 15, 2024 10:19 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

> I've opened a support issue with TP-Link, after all the feature (which was a selling point to me) stopped working. After a longish email thread explaining that I would like the feature to work again(*) my issue got closed, because: 1) my 5 year warranty just ended; 2) I should have opened a ticket with the reseller, not TP-Link themselves. :(

Okay, this is UK rules, but under them, point 2 is valid. HOWEVER. You now just raise the issue with the reseller - the fact that your five-year warranty has expired is irrelevant. The warranty covers faults THAT EXISTED in the warranty period. If you claim outside the period, then you have the burden of proving they were pre-existing faults, but "the warranty has expired" on its own is not sufficient to turn down a warranty claim. You've got a dead-easy proof - you raised the issue with TP-Link during the warranty period ...

Cheers,
Wol

OpenSSH announces DSA-removal timeline

Posted Jan 15, 2024 11:47 UTC (Mon) by zdzichu (subscriber, #17118) [Link] (1 responses)

That's interesting, I may try that. Thanks!

OpenSSH announces DSA-removal timeline

Posted Jan 15, 2024 16:46 UTC (Mon) by Wol (subscriber, #4433) [Link]

Not knowing where you're based, so if you're elsewhere in Europe don't assume the rules are the same.

For Directives, the national implementation must implement the directive *as a minimum*. UK rules are noticeably different from the directive, but because they are much stricter that's not a problem. However, I would have thought this would be covered by the directive.

Cheers,
Wol

OpenSSH announces DSA-removal timeline

Posted Jan 18, 2024 23:14 UTC (Thu) by rknight (subscriber, #26792) [Link]

> Ah yes. I've bought a TP-Link TL-SG2216 switch with 5 year warranty for home. Managed – over HTTPS and SSH. During the last year of the warranty, I've noticed it only supported TLS1.0 with laughable ciphers:

Not sure what family the TL-SG2216 is in, but at least a couple of TP-Link switches have some support from OpenWrt now and therefore have support for modern HTTPS and SSH. See https://openwrt.org/docs/techref/targets/realtek for a current list of supported switches. Note that some enterprise features of the switch are not yet supported, but basic switching and PoE support are there.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds