From 7a80cfe2ef89db013fb4deb6d1609706a3a3da7a Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 30 Apr 2017 23:18:22 +0000 Subject: [PATCH] remove SSHv1 configuration options and man pages bits ok markus@ --- usr.bin/ssh/readconf.c | 27 +------------- usr.bin/ssh/readconf.h | 7 +--- usr.bin/ssh/ssh.1 | 57 +++-------------------------- usr.bin/ssh/ssh_config | 4 +-- usr.bin/ssh/ssh_config.5 | 77 +++------------------------------------- 5 files changed, 12 insertions(+), 160 deletions(-) diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index a9bd86c5f67..17e76a97fc9 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.274 2017/04/30 23:15:04 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.275 2017/04/30 23:18:22 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -936,14 +936,6 @@ parse_time: intptr = &options->pubkey_authentication; goto parse_flag; - case oRSAAuthentication: - intptr = &options->rsa_authentication; - goto parse_flag; - - case oRhostsRSAAuthentication: - intptr = &options->rhosts_rsa_authentication; - goto parse_flag; - case oHostbasedAuthentication: intptr = &options->hostbased_authentication; goto parse_flag; @@ -994,10 +986,6 @@ parse_time: intptr = &options->number_of_password_prompts; goto parse_int; - case oCompressionLevel: - intptr = &options->compression_level; - goto parse_int; - case oRekeyLimit: arg = strdelim(&s); if (!arg || *arg == '\0') @@ -1762,7 +1750,6 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_unlink = -1; options->use_privileged_port = -1; - options->rsa_authentication = -1; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -1770,14 +1757,12 @@ initialize_options(Options * options) options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; - options->rhosts_rsa_authentication = -1; options->hostbased_authentication = -1; options->batch_mode = -1; options->check_host_ip = -1; options->strict_host_key_checking = -1; options->compression = -1; options->tcp_keep_alive = -1; - options->compression_level = -1; options->port = -1; options->address_family = -1; options->connection_attempts = -1; @@ -1901,8 +1886,6 @@ fill_default_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->use_privileged_port == -1) options->use_privileged_port = 0; - if (options->rsa_authentication == -1) - options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) @@ -1915,8 +1898,6 @@ fill_default_options(Options * options) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 1; - if (options->rhosts_rsa_authentication == -1) - options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; if (options->batch_mode == -1) @@ -1929,8 +1910,6 @@ fill_default_options(Options * options) options->compression = 0; if (options->tcp_keep_alive == -1) options->tcp_keep_alive = 1; - if (options->compression_level == -1) - options->compression_level = 6; if (options->port == -1) options->port = 0; /* Filled in ssh_connect. */ if (options->address_family == -1) @@ -2485,10 +2464,6 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass); dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication); dump_cfg_fmtint(oRequestTTY, o->request_tty); -#ifdef WITH_RSA1 - dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication); - dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication); -#endif dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking); dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive); diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index c2ffd9ed420..f47f5340209 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.120 2017/04/30 23:15:04 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.121 2017/04/30 23:18:22 djm Exp $ */ /* * Author: Tatu Ylonen @@ -37,9 +37,6 @@ typedef struct { char *xauth_location; /* Location for xauth program */ struct ForwardOptions fwd_opts; /* forwarding options */ int use_privileged_port; /* Don't use privileged port if false. */ - int rhosts_rsa_authentication; /* Try rhosts with RSA - * authentication. */ - int rsa_authentication; /* Try RSA authentication. */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ int challenge_response_authentication; @@ -54,8 +51,6 @@ typedef struct { int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ int compression; /* Compress packets in both directions. */ - int compression_level; /* Compression level 1 (fast) to 9 - * (best). */ int tcp_keep_alive; /* Set SO_KEEPALIVE. */ int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index 4011c65aa66..325742f9878 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $ -.Dd $Mdocdate: July 16 2016 $ +.\" $OpenBSD: ssh.1,v 1.377 2017/04/30 23:18:22 djm Exp $ +.Dd $Mdocdate: April 30 2017 $ .Dt SSH 1 .Os .Sh NAME @@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh .Bk -words -.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +.Op Fl 46AaCfGgKkMNnqsTtVvXxYy .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Oo Ar bind_address : Oc Ns Ar port @@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell. The options are as follows: .Pp .Bl -tag -width Ds -compact -.It Fl 1 -Forces -.Nm -to try protocol version 1 only. -.Pp -.It Fl 2 -Forces -.Nm -to try protocol version 2 only. -.Pp .It Fl 4 Forces .Nm @@ -144,12 +134,7 @@ data for forwarded X11, TCP and .Ux Ns -domain connections). The compression algorithm is the same used by -.Xr gzip 1 , -and the -.Dq level -can be controlled by the -.Cm CompressionLevel -option for protocol version 1. +.Xr gzip 1 . Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. The default value can be set on a host-by-host basis in the @@ -159,14 +144,6 @@ option. .Pp .It Fl c Ar cipher_spec Selects the cipher specification for encrypting the session. -.Pp -Protocol version 1 allows specification of a single cipher. -The supported values are -.Dq 3des , -.Dq blowfish , -and -.Dq des . -For protocol version 2, .Ar cipher_spec is a comma-separated list of ciphers listed in order of preference. @@ -290,8 +267,6 @@ private RSA key. Selects a file from which the identity (private key) for public key authentication is read. The default is -.Pa ~/.ssh/identity -for protocol version 1, and .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ed25519 @@ -495,7 +470,6 @@ For full details of the options listed below, and their possible values, see .It Ciphers .It ClearAllForwardings .It Compression -.It CompressionLevel .It ConnectionAttempts .It ConnectTimeout .It ControlMaster @@ -540,7 +514,6 @@ For full details of the options listed below, and their possible values, see .It PKCS11Provider .It Port .It PreferredAuthentications -.It Protocol .It ProxyCommand .It ProxyJump .It ProxyUseFdpass @@ -549,8 +522,6 @@ For full details of the options listed below, and their possible values, see .It RekeyLimit .It RemoteForward .It RequestTTY -.It RhostsRSAAuthentication -.It RSAAuthentication .It SendEnv .It ServerAliveInterval .It ServerAliveCountMax @@ -806,21 +777,7 @@ a per-user configuration file and a system-wide configuration file. The file format and configuration options are described in .Xr ssh_config 5 . .Sh AUTHENTICATION -The OpenSSH SSH client supports SSH protocols 1 and 2. -The default is to use protocol 2 only, -though this can be changed via the -.Cm Protocol -option in -.Xr ssh_config 5 -or the -.Fl 1 -and -.Fl 2 -options (see above). -Protocol 1 should not be used -and is only offered to support legacy devices. -It suffers from a number of cryptographic weaknesses -and doesn't support many of the advanced features available for protocol 2. +The OpenSSH SSH client supports SSH protocol 2. .Pp The methods available for authentication are: GSSAPI-based authentication, @@ -893,8 +850,6 @@ is authorized to accept the account. The user creates his/her key pair by running .Xr ssh-keygen 1 . This stores the private key in -.Pa ~/.ssh/identity -(protocol 1), .Pa ~/.ssh/id_dsa (DSA), .Pa ~/.ssh/id_ecdsa @@ -905,8 +860,6 @@ or .Pa ~/.ssh/id_rsa (RSA) and stores the public key in -.Pa ~/.ssh/identity.pub -(protocol 1), .Pa ~/.ssh/id_dsa.pub (DSA), .Pa ~/.ssh/id_ecdsa.pub diff --git a/usr.bin/ssh/ssh_config b/usr.bin/ssh/ssh_config index 0bfa8e01671..38c577977d5 100644 --- a/usr.bin/ssh/ssh_config +++ b/usr.bin/ssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ +# $OpenBSD: ssh_config,v 1.31 2017/04/30 23:18:22 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -20,8 +20,6 @@ # Host * # ForwardAgent no # ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index c9dca08d8d9..a565f330dba 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.244 2017/04/28 06:15:03 jmc Exp $ -.Dd $Mdocdate: April 28 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.245 2017/04/30 23:18:22 djm Exp $ +.Dd $Mdocdate: April 30 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -391,25 +391,8 @@ in the process, regardless of the setting of If the option is set to .Cm no , the check will not be executed. -.It Cm Cipher -Specifies the cipher to use for encrypting the session -in protocol version 1. -Currently, -.Cm blowfish , -.Cm 3des -(the default), -and -.Cm des -are supported, -though -.Cm des -is only supported in the -.Xr ssh 1 -client for interoperability with legacy protocol 1 implementations; -its use is strongly discouraged due to cryptographic weaknesses. .It Cm Ciphers -Specifies the ciphers allowed for protocol version 2 -in order of preference. +Specifies the ciphers allowed and their order of preference. Multiple ciphers must be comma-separated. If the specified value begins with a .Sq + @@ -472,18 +455,6 @@ The argument must be or .Cm no (the default). -.It Cm CompressionLevel -Specifies the compression level to use if compression is enabled. -The argument must be an integer from 1 (fast) to 9 (slow, best). -The default level is 6, which is good for most applications. -The meaning of the values is the same as in -.Xr gzip 1 . -Note that this option applies to protocol version 1 only. -.It Cm ConnectionAttempts -Specifies the number of tries (one per second) to make before exiting. -The argument must be an integer. -This may be useful in scripts if the connection sometimes fails. -The default is 1. .It Cm ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. @@ -902,14 +873,11 @@ section. Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication identity is read. The default is -.Pa ~/.ssh/identity -for protocol version 1, and .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ed25519 and -.Pa ~/.ssh/id_rsa -for protocol version 2. +.Pa ~/.ssh/id_rsa . Additionally, any identities represented by the authentication agent will be used for authentication unless .Cm IdentitiesOnly @@ -1192,21 +1160,6 @@ The default is: gssapi-with-mic,hostbased,publickey, keyboard-interactive,password .Ed -.It Cm Protocol -Specifies the protocol versions -.Xr ssh 1 -should support in order of preference. -The possible values are 1 and 2. -Multiple versions must be comma-separated. -When this option is set to -.Cm 2,1 -.Nm ssh -will try version 2 and fall back to version 1 -if version 2 is not available. -The default is version 2. -Protocol 1 suffers from a number of cryptographic weaknesses and should -not be used. -It is only offered to support legacy devices. .It Cm ProxyCommand Specifies the command to use to connect to the server. The command @@ -1397,28 +1350,6 @@ an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . -.It Cm RhostsRSAAuthentication -Specifies whether to try rhosts based authentication with RSA host -authentication. -The argument must be -.Cm yes -or -.Cm no -(the default). -This option applies to protocol version 1 only and requires -.Xr ssh 1 -to be setuid root. -.It Cm RSAAuthentication -Specifies whether to try RSA authentication. -The argument to this keyword must be -.Cm yes -(the default) -or -.Cm no . -RSA authentication will only be -attempted if the identity file exists, or an authentication agent is -running. -Note that this option applies to protocol version 1 only. .It Cm SendEnv Specifies what variables from the local .Xr environ 7 -- 2.20.1