An update on SSH protocol 1

Damien Miller djm at mindrot.org
Wed May 4 00:14:59 AEST 2016 

On Tue, 3 May 2016, Colin Watson wrote:

> Debian takes the latter approach.  Specifically, we have an
> "openssh-client-ssh1" binary package that includes only scp1, ssh1, and
> ssh-keygen1 binaries; we do not ship any server-side SSHv1 support.  I
> modelled this on Fedora's approach, which is basically the same aside
> from a slightly different package name.
> 
> A number of our users are basically stuck needing to interoperate with
> SSHv1-only servers that they can't update for one reason or another.
> Obviously this is a pretty broken world, but maybe they're at least
> behind a VPN or firewalled to the local network or something and at any
> rate I'm rather glad that none of those things are directly my problem.
> 
> My plan for Debian (and thus Ubuntu etc.) is therefore that, once SSHv1
> is entirely removed from OpenSSH, I will split out the
> openssh-client-ssh1 binary package to be built from a separate source
> package which will remain frozen at the last OpenSSH release that
> supported SSHv1.  As before, this will ship only scp1, ssh1, and
> ssh-keygen1 binaries.
> 
> If I notice any fixes for client-side vulnerabilities that might affect
> SSHv1, then I'll backport them on a best-effort basis, but I expect this
> to be rare.  The protocol is sufficiently broken anyway that I'm not
> going to lose much sleep over it.  I've had it suggested to me that I
> should try to strip it down further (e.g. removing X forwarding
> capability), but on the whole I think the chances of accidentally
> breaking something as a result in something I don't myself use outweigh
> the expected benefits.
> 
> Any comments on this?  Feedback from the changes in 7.0 has convinced me
> that Debian does need to keep shipping basic client-side support in some
> form, but it can be very minimal and I'm happy to put whatever dire
> warnings on it seem useful and appropriate.
> 
> Notwithstanding all this, the plan of removing all this obsolete code
> from OpenSSH proper makes a lot of sense to me and I have no complaints
> there.

Your plan sounds emminently reasonable and I'll repeat my thanks
for your helping the transition by making separate -ssh1 packages.


-d

More information about the openssh-unix-dev mailing list