Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: library deprecates ciphers over-eagerly #12131

Closed
wwaites opened this issue Aug 13, 2015 · 3 comments
Closed

x/crypto/ssh: library deprecates ciphers over-eagerly #12131

wwaites opened this issue Aug 13, 2015 · 3 comments
Assignees
Milestone

Comments

@wwaites
Copy link

@wwaites wwaites commented Aug 13, 2015

From https://github.com/golang/crypto/blob/master/ssh/common.go#L52

"This is based on RFC 4253, section 6.4, but with hmac-md5 variants
 removed because they have reached the end of their useful life."

Unfortunately this is wishful thinking. ssh servers should not use old ciphers,
but sometimes they do, and we still need to manage them. Sometimes we
have no control over the server implementation -- in this instance it's
Mikrotik routers. Deprecated ciphers are still useful in this circumstance
even though in an ideal world this would not be the case.

I'd work on making a patch, but as this appears to be a conscious choice
I want to check here first to make sure I'm not wasting my time if it would
be rejected out of hand.

@mikioh mikioh changed the title ssh library deprecates ciphers over-eagerly x/crypto/ssh: library deprecates ciphers over-eagerly Aug 13, 2015
@mikioh mikioh added this to the Unreleased milestone Aug 13, 2015
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Aug 14, 2015

/cc @agl

@hanwen
Copy link
Contributor

@hanwen hanwen commented Aug 18, 2015

This is a conscious choice. Note that starting with version 7, OpenSSH is also leaving out deprecated ciphers by default.

Adding hmac-md5 should be fairly trivial to add to a local copy of go.crypto.

@agl agl self-assigned this Aug 22, 2015
@agl
Copy link
Contributor

@agl agl commented Aug 22, 2015

If there's a significant population of devices that need this then it could probably be added, but disabled by default. But I think that this is the first time that hmac-md5 has been requested so a local solution is appropriate for now.

@agl agl closed this Aug 22, 2015
@golang golang locked and limited conversation to collaborators Aug 22, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.