upstream commit

remove SSHv1 configuration options and man pages bits ok markus@ Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
2025-07-31 01:35:11 +02:00 · 2017-04-30 23:18:22 +00:00 · 2017-04-30 23:18:22 +00:00 · 788ac799a6
commit 788ac799a6
parent e6882463a8
5 changed files with 12 additions and 160 deletions
--- a/readconf.c
+++ b/readconf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.274 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.275 2017/04/30 23:18:22 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -951,14 +951,6 @@ parse_time:
 		intptr = &options->pubkey_authentication;
 		goto parse_flag;
 	case oRSAAuthentication:
 		intptr = &options->rsa_authentication;
 		goto parse_flag;
 	case oRhostsRSAAuthentication:
 		intptr = &options->rhosts_rsa_authentication;
 		goto parse_flag;
 	case oHostbasedAuthentication:
 		intptr = &options->hostbased_authentication;
 		goto parse_flag;
@ -1009,10 +1001,6 @@ parse_time:
 		intptr = &options->number_of_password_prompts;
 		goto parse_int;
 	case oCompressionLevel:
 		intptr = &options->compression_level;
 		goto parse_int;
 	case oRekeyLimit:
 		arg = strdelim(&s);
 		if (!arg || *arg == '\0')
@ -1777,7 +1765,6 @@ initialize_options(Options * options)
 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
 	options->fwd_opts.streamlocal_bind_unlink = -1;
 	options->use_privileged_port = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
@ -1785,14 +1772,12 @@ initialize_options(Options * options)
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
 	options->rhosts_rsa_authentication = -1;
 	options->hostbased_authentication = -1;
 	options->batch_mode = -1;
 	options->check_host_ip = -1;
 	options->strict_host_key_checking = -1;
 	options->compression = -1;
 	options->tcp_keep_alive = -1;
 	options->compression_level = -1;
 	options->port = -1;
 	options->address_family = -1;
 	options->connection_attempts = -1;
@ -1916,8 +1901,6 @@ fill_default_options(Options * options)
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->use_privileged_port == -1)
 		options->use_privileged_port = 0;
 	if (options->rsa_authentication == -1)
 		options->rsa_authentication = 1;
 	if (options->pubkey_authentication == -1)
 		options->pubkey_authentication = 1;
 	if (options->challenge_response_authentication == -1)
@ -1930,8 +1913,6 @@ fill_default_options(Options * options)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 1;
 	if (options->rhosts_rsa_authentication == -1)
 		options->rhosts_rsa_authentication = 0;
 	if (options->hostbased_authentication == -1)
 		options->hostbased_authentication = 0;
 	if (options->batch_mode == -1)
@ -1944,8 +1925,6 @@ fill_default_options(Options * options)
 		options->compression = 0;
 	if (options->tcp_keep_alive == -1)
 		options->tcp_keep_alive = 1;
 	if (options->compression_level == -1)
 		options->compression_level = 6;
 	if (options->port == -1)
 		options->port = 0;	/* Filled in ssh_connect. */
 	if (options->address_family == -1)
@ -2502,10 +2481,6 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
 	dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
 	dump_cfg_fmtint(oRequestTTY, o->request_tty);
 #ifdef WITH_RSA1
 	dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
 	dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
 #endif
 	dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
 	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
 	dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
--- a/readconf.h
+++ b/readconf.h
@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.120 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.121 2017/04/30 23:18:22 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -37,9 +37,6 @@ typedef struct {
 	char   *xauth_location;	/* Location for xauth program */
 	struct ForwardOptions fwd_opts;	/* forwarding options */
 	int     use_privileged_port;	/* Don't use privileged port if false. */
 	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
 						 * authentication. */
 	int     rsa_authentication;	/* Try RSA authentication. */
 	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
 	int     challenge_response_authentication;
@ -54,8 +51,6 @@ typedef struct {
 	int     check_host_ip;	/* Also keep track of keys for IP address */
 	int     strict_host_key_checking;	/* Strict host key checking. */
 	int     compression;	/* Compress packets in both directions. */
 	int     compression_level;	/* Compression level 1 (fast) to 9
 					 * (best). */
 	int     tcp_keep_alive;	/* Set SO_KEEPALIVE. */
 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
--- a/ssh.1
+++ b/ssh.1
@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.377 2017/04/30 23:18:22 djm Exp $
-.Dd $Mdocdate: July 16 2016 $
+.Dd $Mdocdate: April 30 2017 $
 .Dt SSH 1
 .Os
 .Sh NAME
@ -43,7 +43,7 @@
 .Sh SYNOPSIS
 .Nm ssh
 .Bk -words
-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
 .Op Fl D Oo Ar bind_address : Oc Ns Ar port
@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell.
 The options are as follows:
 .Pp
 .Bl -tag -width Ds -compact
 .It Fl 1
 Forces
 .Nm
 to try protocol version 1 only.
 .Pp
 .It Fl 2
 Forces
 .Nm
 to try protocol version 2 only.
 .Pp
 .It Fl 4
 Forces
 .Nm
@ -144,12 +134,7 @@ data for forwarded X11, TCP and
 .Ux Ns -domain
 connections).
 The compression algorithm is the same used by
-.Xr gzip 1 ,
+.Xr gzip 1 .
 and the
 .Dq level
 can be controlled by the
 .Cm CompressionLevel
 option for protocol version 1.
 Compression is desirable on modem lines and other
 slow connections, but will only slow down things on fast networks.
 The default value can be set on a host-by-host basis in the
@ -159,14 +144,6 @@ option.
 .Pp
 .It Fl c Ar cipher_spec
 Selects the cipher specification for encrypting the session.
 .Pp
 Protocol version 1 allows specification of a single cipher.
 The supported values are
 .Dq 3des ,
 .Dq blowfish ,
 and
 .Dq des .
 For protocol version 2,
 .Ar cipher_spec
 is a comma-separated list of ciphers
 listed in order of preference.
@ -290,8 +267,6 @@ private RSA key.
 Selects a file from which the identity (private key) for
 public key authentication is read.
 The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ed25519
@ -495,7 +470,6 @@ For full details of the options listed below, and their possible values, see
 .It Ciphers
 .It ClearAllForwardings
 .It Compression
 .It CompressionLevel
 .It ConnectionAttempts
 .It ConnectTimeout
 .It ControlMaster
@ -540,7 +514,6 @@ For full details of the options listed below, and their possible values, see
 .It PKCS11Provider
 .It Port
 .It PreferredAuthentications
 .It Protocol
 .It ProxyCommand
 .It ProxyJump
 .It ProxyUseFdpass
@ -549,8 +522,6 @@ For full details of the options listed below, and their possible values, see
 .It RekeyLimit
 .It RemoteForward
 .It RequestTTY
 .It RhostsRSAAuthentication
 .It RSAAuthentication
 .It SendEnv
 .It ServerAliveInterval
 .It ServerAliveCountMax
@ -806,21 +777,7 @@ a per-user configuration file and a system-wide configuration file.
 The file format and configuration options are described in
 .Xr ssh_config 5 .
 .Sh AUTHENTICATION
-The OpenSSH SSH client supports SSH protocols 1 and 2.
+The OpenSSH SSH client supports SSH protocol 2.
 The default is to use protocol 2 only,
 though this can be changed via the
 .Cm Protocol
 option in
 .Xr ssh_config 5
 or the
 .Fl 1
 and
 .Fl 2
 options (see above).
 Protocol 1 should not be used
 and is only offered to support legacy devices.
 It suffers from a number of cryptographic weaknesses
 and doesn't support many of the advanced features available for protocol 2.
 .Pp
 The methods available for authentication are:
 GSSAPI-based authentication,
@ -893,8 +850,6 @@ is authorized to accept the account.
 The user creates his/her key pair by running
 .Xr ssh-keygen 1 .
 This stores the private key in
 .Pa ~/.ssh/identity
 (protocol 1),
 .Pa ~/.ssh/id_dsa
 (DSA),
 .Pa ~/.ssh/id_ecdsa
@ -905,8 +860,6 @@ or
 .Pa ~/.ssh/id_rsa
 (RSA)
 and stores the public key in
 .Pa ~/.ssh/identity.pub
 (protocol 1),
 .Pa ~/.ssh/id_dsa.pub
 (DSA),
 .Pa ~/.ssh/id_ecdsa.pub
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-#	$OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
+#	$OpenBSD: ssh_config,v 1.31 2017/04/30 23:18:22 djm Exp $
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@ -20,8 +20,6 @@
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
--- a/ssh_config.5
+++ b/ssh_config.5
@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.244 2017/04/28 06:15:03 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.245 2017/04/30 23:18:22 djm Exp $
-.Dd $Mdocdate: April 28 2017 $
+.Dd $Mdocdate: April 30 2017 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@ -391,25 +391,8 @@ in the process, regardless of the setting of
 If the option is set to
 .Cm no ,
 the check will not be executed.
 .It Cm Cipher
 Specifies the cipher to use for encrypting the session
 in protocol version 1.
 Currently,
 .Cm blowfish ,
 .Cm 3des
 (the default),
 and
 .Cm des
 are supported,
 though
 .Cm des
 is only supported in the
 .Xr ssh 1
 client for interoperability with legacy protocol 1 implementations;
 its use is strongly discouraged due to cryptographic weaknesses.
 .It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2
+Specifies the ciphers allowed and their order of preference.
 in order of preference.
 Multiple ciphers must be comma-separated.
 If the specified value begins with a
 .Sq +
@ -472,18 +455,6 @@ The argument must be
 or
 .Cm no
 (the default).
 .It Cm CompressionLevel
 Specifies the compression level to use if compression is enabled.
 The argument must be an integer from 1 (fast) to 9 (slow, best).
 The default level is 6, which is good for most applications.
 The meaning of the values is the same as in
 .Xr gzip 1 .
 Note that this option applies to protocol version 1 only.
 .It Cm ConnectionAttempts
 Specifies the number of tries (one per second) to make before exiting.
 The argument must be an integer.
 This may be useful in scripts if the connection sometimes fails.
 The default is 1.
 .It Cm ConnectTimeout
 Specifies the timeout (in seconds) used when connecting to the
 SSH server, instead of using the default system TCP timeout.
@ -902,14 +873,11 @@ section.
 Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
 identity is read.
 The default is
 .Pa ~/.ssh/identity
 for protocol version 1, and
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ed25519
 and
-.Pa ~/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa .
 for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication unless
 .Cm IdentitiesOnly
@ -1192,21 +1160,6 @@ The default is:
 gssapi-with-mic,hostbased,publickey,
 keyboard-interactive,password
 .Ed
 .It Cm Protocol
 Specifies the protocol versions
 .Xr ssh 1
 should support in order of preference.
 The possible values are 1 and 2.
 Multiple versions must be comma-separated.
 When this option is set to
 .Cm 2,1
 .Nm ssh
 will try version 2 and fall back to version 1
 if version 2 is not available.
 The default is version 2.
 Protocol 1 suffers from a number of cryptographic weaknesses and should
 not be used.
 It is only offered to support legacy devices.
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
@ -1397,28 +1350,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
 The argument must be
 .Cm yes
 or
 .Cm no
 (the default).
 This option applies to protocol version 1 only and requires
 .Xr ssh 1
 to be setuid root.
 .It Cm RSAAuthentication
 Specifies whether to try RSA authentication.
 The argument to this keyword must be
 .Cm yes
 (the default)
 or
 .Cm no .
 RSA authentication will only be
 attempted if the identity file exists, or an authentication agent is
 running.
 Note that this option applies to protocol version 1 only.
 .It Cm SendEnv
 Specifies what variables from the local
 .Xr environ 7