Web lists-archives.com

Re: Downgrade opensshh from 7.4 to 5.1?




On 4/3/2017 12:23 PM, Stephen John Smoogen wrote:
> On 3 April 2017 at 11:03, cyg Simple <cygsimple@xxxxxxxxx> wrote:
>> On 4/3/2017 10:45 AM, Kleine Raphael wrote:
>>> Hello
>>>
>>> My client can not support OpenSSH_7.2p2 (OpenSSL 1.0.2h  3 May 2016)
>>> and I must downgrade the server to OpenSSH_5.1p1 (OpenSSL 0.9.8l 5 Nov
>>> 2009)
>>>
>>
>> Explain more the "can not support".
>>
> 
> While I agree we need more information, this may be one of the cases
> where a person is trying to be circumspect due to other policies.
> 
> I think that the OpenSSH after 6.9 started dropping support for older
> algorithms (https://www.openssh.com/txt/release-7.0) . If you are
> using SSH to manage various industrial equipment then you are pretty
> much stuck with using older SSH because the equipment may only support
> RC4 or maybe only has keys of 512 or 768 bits. [Trying to get an
> industrial manufacturer to update equipment is a multi-decade process.
> They may have just started creating hardware which has SSH vs straight
> telnet and they won't update to a newer version of SSH until 2028 :/]

That may be true except for PCI compliance[1] where every piece of
equipment between the processor and computer needs to be 1024 bit
standard.  I'm well aware of the fact that the change takes time even in
my own professional job there are still certificates that carry the 512
bit cert data.  That doesn't mean the business is not trying to upgrade
but due to the sheer mass of computers running the business there are a
few with OLD, OUT-OF-DATE hardware and OS.  However where the business
is outward facing the whole process has been updated without delay.

[1]
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

-- 
cyg Simple

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple