[openssh-commits] [openssh] 09/22: upstream commit
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon May 1 12:02:12 AEST 2017
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 788ac799a6efa40517f2ac0d895a610394298ffc
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Apr 30 23:18:22 2017 +0000
upstream commit
remove SSHv1 configuration options and man pages bits
ok markus@
Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
---
readconf.c | 27 +--------------------
readconf.h | 7 +-----
ssh.1 | 57 ++++----------------------------------------
ssh_config | 4 +---
ssh_config.5 | 77 ++++--------------------------------------------------------
5 files changed, 12 insertions(+), 160 deletions(-)
diff --git a/readconf.c b/readconf.c
index 5a7197c1..aee5a8a7 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.274 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.275 2017/04/30 23:18:22 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -951,14 +951,6 @@ parse_time:
intptr = &options->pubkey_authentication;
goto parse_flag;
- case oRSAAuthentication:
- intptr = &options->rsa_authentication;
- goto parse_flag;
-
- case oRhostsRSAAuthentication:
- intptr = &options->rhosts_rsa_authentication;
- goto parse_flag;
-
case oHostbasedAuthentication:
intptr = &options->hostbased_authentication;
goto parse_flag;
@@ -1009,10 +1001,6 @@ parse_time:
intptr = &options->number_of_password_prompts;
goto parse_int;
- case oCompressionLevel:
- intptr = &options->compression_level;
- goto parse_int;
-
case oRekeyLimit:
arg = strdelim(&s);
if (!arg || *arg == '\0')
@@ -1777,7 +1765,6 @@ initialize_options(Options * options)
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
options->use_privileged_port = -1;
- options->rsa_authentication = -1;
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -1785,14 +1772,12 @@ initialize_options(Options * options)
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
- options->rhosts_rsa_authentication = -1;
options->hostbased_authentication = -1;
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
options->compression = -1;
options->tcp_keep_alive = -1;
- options->compression_level = -1;
options->port = -1;
options->address_family = -1;
options->connection_attempts = -1;
@@ -1916,8 +1901,6 @@ fill_default_options(Options * options)
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->use_privileged_port == -1)
options->use_privileged_port = 0;
- if (options->rsa_authentication == -1)
- options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
if (options->challenge_response_authentication == -1)
@@ -1930,8 +1913,6 @@ fill_default_options(Options * options)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 1;
- if (options->rhosts_rsa_authentication == -1)
- options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
if (options->batch_mode == -1)
@@ -1944,8 +1925,6 @@ fill_default_options(Options * options)
options->compression = 0;
if (options->tcp_keep_alive == -1)
options->tcp_keep_alive = 1;
- if (options->compression_level == -1)
- options->compression_level = 6;
if (options->port == -1)
options->port = 0; /* Filled in ssh_connect. */
if (options->address_family == -1)
@@ -2502,10 +2481,6 @@ dump_client_config(Options *o, const char *host)
dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
dump_cfg_fmtint(oRequestTTY, o->request_tty);
-#ifdef WITH_RSA1
- dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
- dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
-#endif
dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
diff --git a/readconf.h b/readconf.h
index c2ffd9ed..f47f5340 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.120 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.121 2017/04/30 23:18:22 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -37,9 +37,6 @@ typedef struct {
char *xauth_location; /* Location for xauth program */
struct ForwardOptions fwd_opts; /* forwarding options */
int use_privileged_port; /* Don't use privileged port if false. */
- int rhosts_rsa_authentication; /* Try rhosts with RSA
- * authentication. */
- int rsa_authentication; /* Try RSA authentication. */
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
int hostbased_authentication; /* ssh2's rhosts_rsa */
int challenge_response_authentication;
@@ -54,8 +51,6 @@ typedef struct {
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
int compression; /* Compress packets in both directions. */
- int compression_level; /* Compression level 1 (fast) to 9
- * (best). */
int tcp_keep_alive; /* Set SO_KEEPALIVE. */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
diff --git a/ssh.1 b/ssh.1
index 4011c65a..325742f9 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $
-.Dd $Mdocdate: July 16 2016 $
+.\" $OpenBSD: ssh.1,v 1.377 2017/04/30 23:18:22 djm Exp $
+.Dd $Mdocdate: April 30 2017 $
.Dt SSH 1
.Os
.Sh NAME
@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm ssh
.Bk -words
-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
@@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell.
The options are as follows:
.Pp
.Bl -tag -width Ds -compact
-.It Fl 1
-Forces
-.Nm
-to try protocol version 1 only.
-.Pp
-.It Fl 2
-Forces
-.Nm
-to try protocol version 2 only.
-.Pp
.It Fl 4
Forces
.Nm
@@ -144,12 +134,7 @@ data for forwarded X11, TCP and
.Ux Ns -domain
connections).
The compression algorithm is the same used by
-.Xr gzip 1 ,
-and the
-.Dq level
-can be controlled by the
-.Cm CompressionLevel
-option for protocol version 1.
+.Xr gzip 1 .
Compression is desirable on modem lines and other
slow connections, but will only slow down things on fast networks.
The default value can be set on a host-by-host basis in the
@@ -159,14 +144,6 @@ option.
.Pp
.It Fl c Ar cipher_spec
Selects the cipher specification for encrypting the session.
-.Pp
-Protocol version 1 allows specification of a single cipher.
-The supported values are
-.Dq 3des ,
-.Dq blowfish ,
-and
-.Dq des .
-For protocol version 2,
.Ar cipher_spec
is a comma-separated list of ciphers
listed in order of preference.
@@ -290,8 +267,6 @@ private RSA key.
Selects a file from which the identity (private key) for
public key authentication is read.
The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ed25519
@@ -495,7 +470,6 @@ For full details of the options listed below, and their possible values, see
.It Ciphers
.It ClearAllForwardings
.It Compression
-.It CompressionLevel
.It ConnectionAttempts
.It ConnectTimeout
.It ControlMaster
@@ -540,7 +514,6 @@ For full details of the options listed below, and their possible values, see
.It PKCS11Provider
.It Port
.It PreferredAuthentications
-.It Protocol
.It ProxyCommand
.It ProxyJump
.It ProxyUseFdpass
@@ -549,8 +522,6 @@ For full details of the options listed below, and their possible values, see
.It RekeyLimit
.It RemoteForward
.It RequestTTY
-.It RhostsRSAAuthentication
-.It RSAAuthentication
.It SendEnv
.It ServerAliveInterval
.It ServerAliveCountMax
@@ -806,21 +777,7 @@ a per-user configuration file and a system-wide configuration file.
The file format and configuration options are described in
.Xr ssh_config 5 .
.Sh AUTHENTICATION
-The OpenSSH SSH client supports SSH protocols 1 and 2.
-The default is to use protocol 2 only,
-though this can be changed via the
-.Cm Protocol
-option in
-.Xr ssh_config 5
-or the
-.Fl 1
-and
-.Fl 2
-options (see above).
-Protocol 1 should not be used
-and is only offered to support legacy devices.
-It suffers from a number of cryptographic weaknesses
-and doesn't support many of the advanced features available for protocol 2.
+The OpenSSH SSH client supports SSH protocol 2.
.Pp
The methods available for authentication are:
GSSAPI-based authentication,
@@ -893,8 +850,6 @@ is authorized to accept the account.
The user creates his/her key pair by running
.Xr ssh-keygen 1 .
This stores the private key in
-.Pa ~/.ssh/identity
-(protocol 1),
.Pa ~/.ssh/id_dsa
(DSA),
.Pa ~/.ssh/id_ecdsa
@@ -905,8 +860,6 @@ or
.Pa ~/.ssh/id_rsa
(RSA)
and stores the public key in
-.Pa ~/.ssh/identity.pub
-(protocol 1),
.Pa ~/.ssh/id_dsa.pub
(DSA),
.Pa ~/.ssh/id_ecdsa.pub
diff --git a/ssh_config b/ssh_config
index 90fb63f0..b986d52c 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
+# $OpenBSD: ssh_config,v 1.31 2017/04/30 23:18:22 djm Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
@@ -20,8 +20,6 @@
# Host *
# ForwardAgent no
# ForwardX11 no
-# RhostsRSAAuthentication no
-# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
diff --git a/ssh_config.5 b/ssh_config.5
index c9dca08d..a565f330 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.244 2017/04/28 06:15:03 jmc Exp $
-.Dd $Mdocdate: April 28 2017 $
+.\" $OpenBSD: ssh_config.5,v 1.245 2017/04/30 23:18:22 djm Exp $
+.Dd $Mdocdate: April 30 2017 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -391,25 +391,8 @@ in the process, regardless of the setting of
If the option is set to
.Cm no ,
the check will not be executed.
-.It Cm Cipher
-Specifies the cipher to use for encrypting the session
-in protocol version 1.
-Currently,
-.Cm blowfish ,
-.Cm 3des
-(the default),
-and
-.Cm des
-are supported,
-though
-.Cm des
-is only supported in the
-.Xr ssh 1
-client for interoperability with legacy protocol 1 implementations;
-its use is strongly discouraged due to cryptographic weaknesses.
.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2
-in order of preference.
+Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.
If the specified value begins with a
.Sq +
@@ -472,18 +455,6 @@ The argument must be
or
.Cm no
(the default).
-.It Cm CompressionLevel
-Specifies the compression level to use if compression is enabled.
-The argument must be an integer from 1 (fast) to 9 (slow, best).
-The default level is 6, which is good for most applications.
-The meaning of the values is the same as in
-.Xr gzip 1 .
-Note that this option applies to protocol version 1 only.
-.It Cm ConnectionAttempts
-Specifies the number of tries (one per second) to make before exiting.
-The argument must be an integer.
-This may be useful in scripts if the connection sometimes fails.
-The default is 1.
.It Cm ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the
SSH server, instead of using the default system TCP timeout.
@@ -902,14 +873,11 @@ section.
Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
identity is read.
The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,
.Pa ~/.ssh/id_ed25519
and
-.Pa ~/.ssh/id_rsa
-for protocol version 2.
+.Pa ~/.ssh/id_rsa .
Additionally, any identities represented by the authentication agent
will be used for authentication unless
.Cm IdentitiesOnly
@@ -1192,21 +1160,6 @@ The default is:
gssapi-with-mic,hostbased,publickey,
keyboard-interactive,password
.Ed
-.It Cm Protocol
-Specifies the protocol versions
-.Xr ssh 1
-should support in order of preference.
-The possible values are 1 and 2.
-Multiple versions must be comma-separated.
-When this option is set to
-.Cm 2,1
-.Nm ssh
-will try version 2 and fall back to version 1
-if version 2 is not available.
-The default is version 2.
-Protocol 1 suffers from a number of cryptographic weaknesses and should
-not be used.
-It is only offered to support legacy devices.
.It Cm ProxyCommand
Specifies the command to use to connect to the server.
The command
@@ -1397,28 +1350,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
-.It Cm RhostsRSAAuthentication
-Specifies whether to try rhosts based authentication with RSA host
-authentication.
-The argument must be
-.Cm yes
-or
-.Cm no
-(the default).
-This option applies to protocol version 1 only and requires
-.Xr ssh 1
-to be setuid root.
-.It Cm RSAAuthentication
-Specifies whether to try RSA authentication.
-The argument to this keyword must be
-.Cm yes
-(the default)
-or
-.Cm no .
-RSA authentication will only be
-attempted if the identity file exists, or an authentication agent is
-running.
-Note that this option applies to protocol version 1 only.
.It Cm SendEnv
Specifies what variables from the local
.Xr environ 7
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list