-/* $OpenBSD: readconf.c,v 1.274 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.275 2017/04/30 23:18:22 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
intptr = &options->pubkey_authentication;
goto parse_flag;
- case oRSAAuthentication:
- intptr = &options->rsa_authentication;
- goto parse_flag;
-
- case oRhostsRSAAuthentication:
- intptr = &options->rhosts_rsa_authentication;
- goto parse_flag;
-
case oHostbasedAuthentication:
intptr = &options->hostbased_authentication;
goto parse_flag;
intptr = &options->number_of_password_prompts;
goto parse_int;
- case oCompressionLevel:
- intptr = &options->compression_level;
- goto parse_int;
-
case oRekeyLimit:
arg = strdelim(&s);
if (!arg || *arg == '\0')
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
options->use_privileged_port = -1;
- options->rsa_authentication = -1;
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
- options->rhosts_rsa_authentication = -1;
options->hostbased_authentication = -1;
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
options->compression = -1;
options->tcp_keep_alive = -1;
- options->compression_level = -1;
options->port = -1;
options->address_family = -1;
options->connection_attempts = -1;
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->use_privileged_port == -1)
options->use_privileged_port = 0;
- if (options->rsa_authentication == -1)
- options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
if (options->challenge_response_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 1;
- if (options->rhosts_rsa_authentication == -1)
- options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
if (options->batch_mode == -1)
options->compression = 0;
if (options->tcp_keep_alive == -1)
options->tcp_keep_alive = 1;
- if (options->compression_level == -1)
- options->compression_level = 6;
if (options->port == -1)
options->port = 0; /* Filled in ssh_connect. */
if (options->address_family == -1)
dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
dump_cfg_fmtint(oRequestTTY, o->request_tty);
-#ifdef WITH_RSA1
- dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
- dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
-#endif
dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
-/* $OpenBSD: readconf.h,v 1.120 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.121 2017/04/30 23:18:22 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
char *xauth_location; /* Location for xauth program */
struct ForwardOptions fwd_opts; /* forwarding options */
int use_privileged_port; /* Don't use privileged port if false. */
- int rhosts_rsa_authentication; /* Try rhosts with RSA
- * authentication. */
- int rsa_authentication; /* Try RSA authentication. */
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
int hostbased_authentication; /* ssh2's rhosts_rsa */
int challenge_response_authentication;
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
int compression; /* Compress packets in both directions. */
- int compression_level; /* Compression level 1 (fast) to 9
- * (best). */
int tcp_keep_alive; /* Set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $
-.Dd $Mdocdate: July 16 2016 $
+.\" $OpenBSD: ssh.1,v 1.377 2017/04/30 23:18:22 djm Exp $
+.Dd $Mdocdate: April 30 2017 $
.Dt SSH 1
.Os
.Sh NAME
.Sh SYNOPSIS
.Nm ssh
.Bk -words
-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
The options are as follows:
.Pp
.Bl -tag -width Ds -compact
-.It Fl 1
-Forces
-.Nm
-to try protocol version 1 only.
-.Pp
-.It Fl 2
-Forces
-.Nm
-to try protocol version 2 only.
-.Pp
.It Fl 4
Forces
.Nm
.Ux Ns -domain
connections).
The compression algorithm is the same used by
-.Xr gzip 1 ,
-and the
-.Dq level
-can be controlled by the
-.Cm CompressionLevel
-option for protocol version 1.
+.Xr gzip 1 .
Compression is desirable on modem lines and other
slow connections, but will only slow down things on fast networks.
The default value can be set on a host-by-host basis in the
.Pp
.It Fl c Ar cipher_spec
Selects the cipher specification for encrypting the session.
-.Pp
-Protocol version 1 allows specification of a single cipher.
-The supported values are
-.Dq 3des ,
-.Dq blowfish ,
-and
-.Dq des .
-For protocol version 2,
.Ar cipher_spec
is a comma-separated list of ciphers
listed in order of preference.
Selects a file from which the identity (private key) for
public key authentication is read.
The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ed25519
.It Ciphers
.It ClearAllForwardings
.It Compression
-.It CompressionLevel
.It ConnectionAttempts
.It ConnectTimeout
.It ControlMaster
.It PKCS11Provider
.It Port
.It PreferredAuthentications
-.It Protocol
.It ProxyCommand
.It ProxyJump
.It ProxyUseFdpass
.It RekeyLimit
.It RemoteForward
.It RequestTTY
-.It RhostsRSAAuthentication
-.It RSAAuthentication
.It SendEnv
.It ServerAliveInterval
.It ServerAliveCountMax
The file format and configuration options are described in
.Xr ssh_config 5 .
.Sh AUTHENTICATION
-The OpenSSH SSH client supports SSH protocols 1 and 2.
-The default is to use protocol 2 only,
-though this can be changed via the
-.Cm Protocol
-option in
-.Xr ssh_config 5
-or the
-.Fl 1
-and
-.Fl 2
-options (see above).
-Protocol 1 should not be used
-and is only offered to support legacy devices.
-It suffers from a number of cryptographic weaknesses
-and doesn't support many of the advanced features available for protocol 2.
+The OpenSSH SSH client supports SSH protocol 2.
.Pp
The methods available for authentication are:
GSSAPI-based authentication,
The user creates his/her key pair by running
.Xr ssh-keygen 1 .
This stores the private key in
-.Pa ~/.ssh/identity
-(protocol 1),
.Pa ~/.ssh/id_dsa
(DSA),
.Pa ~/.ssh/id_ecdsa
.Pa ~/.ssh/id_rsa
(RSA)
and stores the public key in
-.Pa ~/.ssh/identity.pub
-(protocol 1),
.Pa ~/.ssh/id_dsa.pub
(DSA),
.Pa ~/.ssh/id_ecdsa.pub
-# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
+# $OpenBSD: ssh_config,v 1.31 2017/04/30 23:18:22 djm Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# Host *
# ForwardAgent no
# ForwardX11 no
-# RhostsRSAAuthentication no
-# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.244 2017/04/28 06:15:03 jmc Exp $
-.Dd $Mdocdate: April 28 2017 $
+.\" $OpenBSD: ssh_config.5,v 1.245 2017/04/30 23:18:22 djm Exp $
+.Dd $Mdocdate: April 30 2017 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
If the option is set to
.Cm no ,
the check will not be executed.
-.It Cm Cipher
-Specifies the cipher to use for encrypting the session
-in protocol version 1.
-Currently,
-.Cm blowfish ,
-.Cm 3des
-(the default),
-and
-.Cm des
-are supported,
-though
-.Cm des
-is only supported in the
-.Xr ssh 1
-client for interoperability with legacy protocol 1 implementations;
-its use is strongly discouraged due to cryptographic weaknesses.
.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2
-in order of preference.
+Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.
If the specified value begins with a
.Sq +
or
.Cm no
(the default).
-.It Cm CompressionLevel
-Specifies the compression level to use if compression is enabled.
-The argument must be an integer from 1 (fast) to 9 (slow, best).
-The default level is 6, which is good for most applications.
-The meaning of the values is the same as in
-.Xr gzip 1 .
-Note that this option applies to protocol version 1 only.
-.It Cm ConnectionAttempts
-Specifies the number of tries (one per second) to make before exiting.
-The argument must be an integer.
-This may be useful in scripts if the connection sometimes fails.
-The default is 1.
.It Cm ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the
SSH server, instead of using the default system TCP timeout.
Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
identity is read.
The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ed25519
and
-.Pa ~/.ssh/id_rsa
-for protocol version 2.
+.Pa ~/.ssh/id_rsa .
Additionally, any identities represented by the authentication agent
will be used for authentication unless
.Cm IdentitiesOnly
gssapi-with-mic,hostbased,publickey,
keyboard-interactive,password
.Ed
-.It Cm Protocol
-Specifies the protocol versions
-.Xr ssh 1
-should support in order of preference.
-The possible values are 1 and 2.
-Multiple versions must be comma-separated.
-When this option is set to
-.Cm 2,1
-.Nm ssh
-will try version 2 and fall back to version 1
-if version 2 is not available.
-The default is version 2.
-Protocol 1 suffers from a number of cryptographic weaknesses and should
-not be used.
-It is only offered to support legacy devices.
.It Cm ProxyCommand
Specifies the command to use to connect to the server.
The command
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
-.It Cm RhostsRSAAuthentication
-Specifies whether to try rhosts based authentication with RSA host
-authentication.
-The argument must be
-.Cm yes
-or
-.Cm no
-(the default).
-This option applies to protocol version 1 only and requires
-.Xr ssh 1
-to be setuid root.
-.It Cm RSAAuthentication
-Specifies whether to try RSA authentication.
-The argument to this keyword must be
-.Cm yes
-(the default)
-or
-.Cm no .
-RSA authentication will only be
-attempted if the identity file exists, or an authentication agent is
-running.
-Note that this option applies to protocol version 1 only.
.It Cm SendEnv
Specifies what variables from the local
.Xr environ 7