Annoying misfeatures of open®©™ source®©™ software, part ∞
Because I don’t have enough things to do already, I decided that I’d update my macbook to the beta release of the latestandgreatest version of macos. Which is fragile, as befits a beta (apps have been tending to explode and fall over periodically) but which has exposed me to some obnoxious features in modern open source software. The obnoxious feature I discovered this afternoon was that the version of ssh Sierra uses (v7, instead of the v6.9 that was in El Cap) no longer supports dss encryption or the old diffie-hellman key exchange protocol. Which means that the large collection of internal machines I’ve got that use dropbear (because openssh is a festering pile of security holes) won’t talk to it because they want to do diffie-hellman key exchange, and my @home dns server (freebsd 4.x) won’t talk to it because it uses dss encryption, which is apparently a Bad Thing because the NSA can crack it. And, of course, I can’t push out a newer version of dropbear, because it uses the festering pit of crapware that is gnu configure (which doesn’t work on OSes more than about 5 years old, which kind of defeats the whole fucking purpose of an autoconfig program.)
And since osx uses magic security to protect system files (can’t touch them unless I do some sort of recovery system gymnastics to disable that level of protection) I can’t just overwrite the ssh with the older version that’s in El Cap. I can put that older ssh into ~orc/bin, which is an adequate kludge, but it’s still a kludge to get around the insanely stupid configuration decision to not have permissive clients but paranoid servers. (until I copied the older ssh, I got to my older servers by ssh'ing to a old mac mini, then jumping to them from there.)
Man, I’m glad I got out of the software biz. If I had to do this for a living my head would have exploded by now.