From: naddy Date: Mon, 15 Aug 2016 12:27:56 +0000 (+0000) Subject: Remove more SSH1 server code: X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f235807b74c2c62aa66f7b5f8db90a3d7019e59b;p=openbsd Remove more SSH1 server code: * Drop sshd's -k option. * Retire configuration keywords that only apply to protocol 1, as well as the "protocol" keyword. * Remove some related vestiges of protocol 1 support. ok markus@ --- diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 60c4481fee8..bfefae28aac 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.293 2016/08/15 12:27:56 naddy Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -76,9 +76,7 @@ initialize_server_options(ServerOptions *options) options->num_host_cert_files = 0; options->host_key_agent = NULL; options->pid_file = NULL; - options->server_key_bits = -1; options->login_grace_time = -1; - options->key_regeneration_time = -1; options->permit_root_login = PERMIT_NOT_SET; options->ignore_rhosts = -1; options->ignore_user_known_hosts = -1; @@ -94,12 +92,10 @@ initialize_server_options(ServerOptions *options) options->tcp_keep_alive = -1; options->log_facility = SYSLOG_FACILITY_NOT_SET; options->log_level = SYSLOG_LEVEL_NOT_SET; - options->rhosts_rsa_authentication = -1; options->hostbased_authentication = -1; options->hostbased_uses_name_from_packet_only = -1; options->hostbased_key_types = NULL; options->hostkeyalgorithms = NULL; - options->rsa_authentication = -1; options->pubkey_authentication = -1; options->pubkey_key_types = NULL; options->kerberos_authentication = -1; @@ -128,7 +124,6 @@ initialize_server_options(ServerOptions *options) options->ciphers = NULL; options->macs = NULL; options->kex_algorithms = NULL; - options->protocol = SSH_PROTO_UNKNOWN; options->fwd_opts.gateway_ports = -1; options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_unlink = -1; @@ -187,23 +182,16 @@ fill_default_server_options(ServerOptions *options) { int i; - if (options->protocol == SSH_PROTO_UNKNOWN) - options->protocol = SSH_PROTO_2; if (options->num_host_key_files == 0) { - /* fill default hostkeys for protocols */ - if (options->protocol & SSH_PROTO_1) - options->host_key_files[options->num_host_key_files++] = - _PATH_HOST_KEY_FILE; - if (options->protocol & SSH_PROTO_2) { - options->host_key_files[options->num_host_key_files++] = - _PATH_HOST_RSA_KEY_FILE; - options->host_key_files[options->num_host_key_files++] = - _PATH_HOST_DSA_KEY_FILE; - options->host_key_files[options->num_host_key_files++] = - _PATH_HOST_ECDSA_KEY_FILE; - options->host_key_files[options->num_host_key_files++] = - _PATH_HOST_ED25519_KEY_FILE; - } + /* fill default hostkeys */ + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_RSA_KEY_FILE; + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_DSA_KEY_FILE; + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_ECDSA_KEY_FILE; + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_ED25519_KEY_FILE; } /* No certificates by default */ if (options->num_ports == 0) @@ -214,12 +202,8 @@ fill_default_server_options(ServerOptions *options) add_listen_addr(options, NULL, 0); if (options->pid_file == NULL) options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); - if (options->server_key_bits == -1) - options->server_key_bits = 1024; if (options->login_grace_time == -1) options->login_grace_time = 120; - if (options->key_regeneration_time == -1) - options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) options->permit_root_login = PERMIT_NO_PASSWD; if (options->ignore_rhosts == -1) @@ -250,14 +234,10 @@ fill_default_server_options(ServerOptions *options) options->log_facility = SYSLOG_FACILITY_AUTH; if (options->log_level == SYSLOG_LEVEL_NOT_SET) options->log_level = SYSLOG_LEVEL_INFO; - if (options->rhosts_rsa_authentication == -1) - options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; if (options->hostbased_uses_name_from_packet_only == -1) options->hostbased_uses_name_from_packet_only = 0; - if (options->rsa_authentication == -1) - options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; if (options->kerberos_authentication == -1) @@ -377,9 +357,8 @@ fill_default_server_options(ServerOptions *options) /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ - sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, - sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, - sRhostsRSAAuthentication, sRSAAuthentication, + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, @@ -390,7 +369,7 @@ typedef enum { sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, + sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, @@ -427,19 +406,19 @@ static struct { { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, - { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, + { "serverkeybits", sDeprecated, SSHCFG_GLOBAL }, { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, - { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, + { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL }, { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, + { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL }, { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, - { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, + { "rsaauthentication", sDeprecated, SSHCFG_ALL }, { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ @@ -496,7 +475,7 @@ static struct { { "denygroups", sDenyGroups, SSHCFG_ALL }, { "ciphers", sCiphers, SSHCFG_GLOBAL }, { "macs", sMacs, SSHCFG_GLOBAL }, - { "protocol", sProtocol, SSHCFG_GLOBAL }, + { "protocol", sDeprecated, SSHCFG_GLOBAL }, { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, @@ -989,18 +968,6 @@ process_server_config_line(ServerOptions *options, char *line, filename, linenum); break; - case sServerKeyBits: - intptr = &options->server_key_bits; - parse_int: - arg = strdelim(&cp); - if (!arg || *arg == '\0') - fatal("%s line %d: missing integer value.", - filename, linenum); - value = atoi(arg); - if (*activep && *intptr == -1) - *intptr = value; - break; - case sLoginGraceTime: intptr = &options->login_grace_time; parse_time: @@ -1015,10 +982,6 @@ process_server_config_line(ServerOptions *options, char *line, *intptr = value; break; - case sKeyRegenerationTime: - intptr = &options->key_regeneration_time; - goto parse_time; - case sListenAddress: arg = strdelim(&cp); if (arg == NULL || *arg == '\0') @@ -1138,10 +1101,6 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->ignore_user_known_hosts; goto parse_flag; - case sRhostsRSAAuthentication: - intptr = &options->rhosts_rsa_authentication; - goto parse_flag; - case sHostbasedAuthentication: intptr = &options->hostbased_authentication; goto parse_flag; @@ -1168,10 +1127,6 @@ process_server_config_line(ServerOptions *options, char *line, charptr = &options->hostkeyalgorithms; goto parse_keytypes; - case sRSAAuthentication: - intptr = &options->rsa_authentication; - goto parse_flag; - case sPubkeyAuthentication: intptr = &options->pubkey_authentication; goto parse_flag; @@ -1234,7 +1189,15 @@ process_server_config_line(ServerOptions *options, char *line, case sX11DisplayOffset: intptr = &options->x11_display_offset; - goto parse_int; + parse_int: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing integer value.", + filename, linenum); + value = atoi(arg); + if (*activep && *intptr == -1) + *intptr = value; + break; case sX11UseLocalhost: intptr = &options->x11_use_localhost; @@ -1436,19 +1399,6 @@ process_server_config_line(ServerOptions *options, char *line, options->kex_algorithms = xstrdup(arg); break; - case sProtocol: - intptr = &options->protocol; - arg = strdelim(&cp); - if (!arg || *arg == '\0') - fatal("%s line %d: Missing argument.", filename, linenum); - value = proto_spec(arg); - if (value == SSH_PROTO_UNKNOWN) - fatal("%s line %d: Bad protocol spec '%s'.", - filename, linenum, arg ? arg : ""); - if (*intptr == SSH_PROTO_UNKNOWN) - *intptr = value; - break; - case sSubsystem: if (options->num_subsystems >= MAX_SUBSYSTEMS) { fatal("%s line %d: too many subsystems defined.", @@ -1957,7 +1907,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(password_authentication); M_CP_INTOPT(gss_authentication); - M_CP_INTOPT(rsa_authentication); M_CP_INTOPT(pubkey_authentication); M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); @@ -2097,17 +2046,6 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_tcpfwd); case sFingerprintHash: return ssh_digest_alg_name(val); - case sProtocol: - switch (val) { - case SSH_PROTO_1: - return "1"; - case SSH_PROTO_2: - return "2"; - case (SSH_PROTO_1|SSH_PROTO_2): - return "2,1"; - default: - return "UNKNOWN"; - } default: switch (val) { case 0: @@ -2194,7 +2132,6 @@ dump_config(ServerOptions *o) /* these are usually at the top of the config */ for (i = 0; i < o->num_ports; i++) printf("port %d\n", o->ports[i]); - dump_cfg_fmtint(sProtocol, o->protocol); dump_cfg_fmtint(sAddressFamily, o->address_family); /* @@ -2224,9 +2161,7 @@ dump_config(ServerOptions *o) free(laddr1); /* integer arguments */ - dump_cfg_int(sServerKeyBits, o->server_key_bits); dump_cfg_int(sLoginGraceTime, o->login_grace_time); - dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); dump_cfg_int(sMaxAuthTries, o->max_authtries); dump_cfg_int(sMaxSessions, o->max_sessions); @@ -2238,11 +2173,9 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); - dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, o->hostbased_uses_name_from_packet_only); - dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); #ifdef KRB5 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 7421233f827..3f595e4361d 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.120 2015/07/10 06:21:53 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.121 2016/08/15 12:27:56 naddy Exp $ */ /* * Author: Tatu Ylonen @@ -69,10 +69,8 @@ typedef struct { int num_host_cert_files; /* Number of files for host certs. */ char *host_key_agent; /* ssh-agent socket for host keys. */ char *pid_file; /* Where to put our pid */ - int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time * (sec). */ - int key_regeneration_time; /* Server key lifetime (seconds). */ int permit_root_login; /* PERMIT_*, see above */ int ignore_rhosts; /* Ignore .rhosts and .shosts. */ int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts @@ -93,17 +91,13 @@ typedef struct { char *ciphers; /* Supported SSH2 ciphers. */ char *macs; /* Supported SSH2 macs. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */ - int protocol; /* Supported protocol versions. */ struct ForwardOptions fwd_opts; /* forwarding options */ SyslogFacility log_facility; /* Facility for system logging. */ LogLevel log_level; /* Level for system logging. */ - int rhosts_rsa_authentication; /* If true, permit rhosts RSA - * authentication. */ int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ int hostbased_uses_name_from_packet_only; /* experimental */ char *hostbased_key_types; /* Key types allowed for hostbased */ char *hostkeyalgorithms; /* SSH2 server key types */ - int rsa_authentication; /* If true, permit RSA authentication. */ int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ char *pubkey_key_types; /* Key types allowed for public key */ int kerberos_authentication; /* If true, permit Kerberos diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index c46b4ac63b5..91c2d27ba3d 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.472 2016/08/13 17:47:41 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.473 2016/08/15 12:27:56 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -342,26 +342,12 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) { u_int i; int remote_major, remote_minor; - int major, minor; char *s, *newline = "\n"; char buf[256]; /* Must not be larger than remote_version. */ char remote_version[256]; /* Must be at least as big as buf. */ - if ((options.protocol & SSH_PROTO_1) && - (options.protocol & SSH_PROTO_2)) { - major = PROTOCOL_MAJOR_1; - minor = 99; - } else if (options.protocol & SSH_PROTO_2) { - major = PROTOCOL_MAJOR_2; - minor = PROTOCOL_MINOR_2; - newline = "\r\n"; - } else { - major = PROTOCOL_MAJOR_1; - minor = PROTOCOL_MINOR_1; - } - xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", - major, minor, SSH_VERSION, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); @@ -887,10 +873,9 @@ usage(void) #endif ); fprintf(stderr, -"usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" +"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" " [-E log_file] [-f config_file] [-g login_grace_time]\n" -" [-h host_key_file] [-k key_gen_time] [-o option] [-p port]\n" -" [-u len]\n" +" [-h host_key_file] [-o option] [-p port] [-u len]\n" ); exit(1); } @@ -1371,7 +1356,7 @@ main(int ac, char **av) options.log_level = SYSLOG_LEVEL_QUIET; break; case 'b': - /* ignored */ + /* protocol 1, ignored */ break; case 'p': options.ports_from_cmdline = 1; @@ -1392,10 +1377,7 @@ main(int ac, char **av) } break; case 'k': - if ((options.key_regeneration_time = convtime(optarg)) == -1) { - fprintf(stderr, "Invalid key regeneration interval.\n"); - exit(1); - } + /* protocol 1, ignored */ break; case 'h': if (options.num_host_key_files >= MAX_HOSTKEYS) { @@ -1513,9 +1495,6 @@ main(int ac, char **av) * and warns for trivial misconfigurations that could break login. */ if (options.num_auth_methods != 0) { - if ((options.protocol & SSH_PROTO_1)) - fatal("AuthenticationMethods is not supported with " - "SSH protocol 1"); for (n = 0; n < options.num_auth_methods; n++) { if (auth2_methods_valid(options.auth_methods[n], 1) == 0)