Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #75199 > unrolled thread

SSH Compability

Back to article view | Back to comp.os.linux.misc

Contents

  SSH Compability doctor@doctor.nl2k.ab.ca (The Doctor) - 2025-09-25 12:15 +0000
    Re: SSH Compability Marco Moock <mm@dorfdsl.de> - 2025-09-25 15:15 +0200
      Re: SSH Compability Jason H <jason_hindle@yahoo.com> - 2025-09-25 21:21 +0000
        Re: SSH Compability Marco Moock <mm@dorfdsl.de> - 2025-09-26 07:12 +0200
          Re: SSH Compability Richard Kettlewell <invalid@invalid.invalid> - 2025-09-26 08:52 +0100
            Re: SSH Compability Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-09-26 08:25 +0000
          Re: SSH Compability Marc Haber <mh+usenetspam1118@zugschl.us> - 2025-09-26 10:44 +0200
            Re: SSH Compability Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-09-26 21:38 +0000
              Re: SSH Compability "Carlos E.R." <robin_listas@es.invalid> - 2025-09-28 13:54 +0200
                Re: SSH Compability Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-09-28 19:24 +0000
                  Re: SSH Compability "Carlos E.R." <robin_listas@es.invalid> - 2025-09-28 21:36 +0200
    Re: SSH Compability Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-09-25 22:05 +0000
    Re: SSH Compability John McCue <jmclnx@gmail.com.invalid> - 2025-09-26 14:31 +0000

#75199 — SSH Compability

Hello, will all Linux Distros upgrade to Openssh 10.X upwards?

This is a quantum signature flaw that might affect all distros.
-- 
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ;
All I want to hear from JEsus Christ is WEll done Good and Faithful servant

[toc] | [next] | [standalone]

#75216

On 25.09.2025 12:15 The Doctor wrote:

> Hello, will all Linux Distros upgrade to Openssh 10.X upwards?

Sooner or later they will.
Slackware current already did.

Is there any special problem with that version? 

[toc] | [prev] | [next] | [standalone]

#75247

On 25/09/2025 14:15, Marco Moock wrote:
>On 25.09.2025 12:15 The Doctor wrote:
>
>> Hello, will all Linux Distros upgrade to Openssh 10.X upwards?
>
>Sooner or later they will.
>Slackware current already did.
>
>Is there any special problem with that version? 
>
I assume connecting to older systems might be a problem. I've not yet
 encountered an issue in my Linux OS installs, but found it when I upgraded
 to macOS Tahoe over the weekend. More info here:

https://discussions.apple.com/thread/256145769?sortBy=rank

I can understand the reasoning, but plenty of software companies need to
 support systems older than 10 years old (in some cases far older).

-- 
--
A PICKER OF UNCONSIDERED TRIFLES

[toc] | [prev] | [next] | [standalone]

#75266

On 25.09.2025 21:21 Jason H wrote:

> I can understand the reasoning, but plenty of software companies need
> to support systems older than 10 years old (in some cases far older).

I've some older Cisco devices that need special SSH config, e.g.
ssh-rsa, diffie-hellman-group14-sha1 and cipher options.

Still works with OpenSSH 10 - the devices are older than 10 years,
software is the latest available.

I haven't been in need to use DSA.

Which devices do you have that need that?

[toc] | [prev] | [next] | [standalone]

#75274

Marco Moock <mm@dorfdsl.de> writes:
> On 25.09.2025 21:21 Jason H wrote:
>> I can understand the reasoning, but plenty of software companies need
>> to support systems older than 10 years old (in some cases far older).

They’ve had plenty of time to migrate; see below for specifics.  At this
point it’s no longer reasonable to expect implementors to support
DSA-1024 (especially if you’re not even paying them for their time).

> I've some older Cisco devices that need special SSH config, e.g.
> ssh-rsa, diffie-hellman-group14-sha1 and cipher options.

ssh-rsa signatures with a large enough key (2048+ bits) should be OK for
the time being.

diffie-hellman-group14-sha1 uses MODP2048, which should also be OK for
now, but SHA-1 for the session transcript hash, which is probably
breakable with about $110K of compute time.

https://inria.hal.science/hal-01244855v1/document
https://inria.hal.science/hal-02424900/file/SHA1_EC19.pdf

> Still works with OpenSSH 10 - the devices are older than 10 years,
> software is the latest available.
>
> I haven't been in need to use DSA.
>
> Which devices do you have that need that?

DSA-1024 is in the “probably breakable” category now, albeit very
expensive to do so.

In the OpenSSH context:
* DSA-1024 support was disabled by default a decade ago. So, a decade’s
  notice to find an alternative.
* Older SSH clients remain available, for anyone who can’t avoid
  DSA-1024.

In the FIPS-140 context, DSA-1024 signature generation has been
disallowed since 2013 (with deprecation announced in 2011) so 14 years
notice to move to an alternative. Irrelevant to private individuals but
(using the example you mentioned above) Cisco are well aware it.

-- 
https://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]

#75275

On Fri, 26 Sep 2025 08:52:21 +0100, Richard Kettlewell wrote:

> In the FIPS-140 context, DSA-1024 signature generation has been
> disallowed since 2013 (with deprecation announced in 2011) so 14 years
> notice to move to an alternative.

The only reason for the existence of DSA in the first place was to get 
around US export restrictions on encryption at the time, when it was 
thought that an algorithm could be designed specifically for digital 
signatures, without being useful for encryption at the same time.

This assumption turned out to be false.

[toc] | [prev] | [next] | [standalone]

#75276

Marco Moock <mm@dorfdsl.de> wrote:
>Which devices do you have that need that?

Old switches from non-premium vendors. Old other network devices (for
example PDUs and UPSes).

Greetings
Marc
-- 
----------------------------------------------------------------------------
Marc Haber         |   " Questions are the         | Mailadresse im Header
Rhein-Neckar, DE   |     Beginning of Wisdom "     | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

[toc] | [prev] | [next] | [standalone]

#75300

On Fri, 26 Sep 2025 10:44:45 +0200, Marc Haber wrote:

> Marco Moock <mm@dorfdsl.de> wrote:
>>
>> Which devices do you have that need that?
>
> Old switches from non-premium vendors.

A client of mine once bought a brand-new router from a well-known
vendor (Allied Telesyn -- or was that Allied Telesis?). This was in
the early ’00s. Its SSH support only allowed for DES encryption -- not
even triple-DES.

[toc] | [prev] | [next] | [standalone]

#75346

On 2025-09-26 23:38, Lawrence D’Oliveiro wrote:
> On Fri, 26 Sep 2025 10:44:45 +0200, Marc Haber wrote:
> 
>> Marco Moock <mm@dorfdsl.de> wrote:
>>>
>>> Which devices do you have that need that?
>>
>> Old switches from non-premium vendors.
> 
> A client of mine once bought a brand-new router from a well-known
> vendor (Allied Telesyn -- or was that Allied Telesis?). This was in
> the early ’00s. Its SSH support only allowed for DES encryption -- not
> even triple-DES.

Common. I have used routers on this century that did not have ssh, only 
telnet. Not early century, even. Provided by my ISP, so millions of users.

My printer doesn't have https, only http.

I have embedded machines with only telnet.


Fortunately, all those are intra-LAN.

-- 
Cheers, Carlos.
ES🇪🇸, EU🇪🇺;

[toc] | [prev] | [next] | [standalone]

#75367

On Sun, 28 Sep 2025 13:54:59 +0200, Carlos E.R. wrote:

> My printer doesn't have https, only http.

Don’t put it directly on the network. Leave it on a USB connection to one 
machine, and serve it up to the rest of your LAN via CUPS.

[toc] | [prev] | [next] | [standalone]

#75369

On 2025-09-28 21:24, Lawrence D’Oliveiro wrote:
> On Sun, 28 Sep 2025 13:54:59 +0200, Carlos E.R. wrote:
> 
>> My printer doesn't have https, only http.
> 
> Don’t put it directly on the network. Leave it on a USB connection to one
> machine, and serve it up to the rest of your LAN via CUPS.

Not viable.

-- 
Cheers, Carlos.
ES🇪🇸, EU🇪🇺;

[toc] | [prev] | [next] | [standalone]

#75248

On Thu, 25 Sep 2025 12:15:21 -0000 (UTC), The Doctor wrote:

> This is a quantum signature flaw that might affect all distros.

When I hear the word “quantum”, I reach for my debunk-o-tron ...

[toc] | [prev] | [next] | [standalone]

#75296

Follow-ups trimmed to: comp.os.linux.misc

In comp.os.linux.misc The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> Hello, will all Linux Distros upgrade to Openssh 10.X upwards?
> 
> This is a quantum signature flaw that might affect all distros.

I never heard of this flaw, but here is information
about Openssh and quantum:

https://www.openssh.com/pq.html

-- 
[t]csh(1) - "An elegant shell, for a more... civilized age."
                        - Paraphrasing Star Wars

[toc] | [prev] | [standalone]

Back to top | Article view | comp.os.linux.misc

csiph-web