tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

Replace list of ciphers and MACs adjacent to -1/-2 flag
 descriptions in ssh(1) with a strong recommendation not to use protocol 1.
 Add a similar warning to the Protocol option descriptions in ssh_config(5)
 and sshd_config(5);

prompted by and ok mmcc@

Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
This commit is contained in:
djm@openbsd.org 2016-02-16 05:11:04 +00:00 committed by Damien Miller
parent 5a0fcb7728
commit e7901efa9b
3 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ssh.1
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.366 2015/11/15 22:26:49 jcs Exp $
.Dd $Mdocdate: November 15 2015 $
.\" $OpenBSD: ssh.1,v 1.367 2016/02/16 05:11:04 djm Exp $
.Dd $Mdocdate: February 16 2016 $
.Dt SSH 1
.Os
.Sh NAME
@ -795,15 +795,9 @@ or the
and
.Fl 2
options (see above).
Both protocols support similar authentication methods,
but protocol 2 is the default since
it provides additional mechanisms for confidentiality
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
and integrity (hmac-md5, hmac-sha1,
hmac-sha2-256, hmac-sha2-512,
umac-64, umac-128, hmac-ripemd160).
Protocol 1 lacks a strong mechanism for ensuring the
integrity of the connection.
Protocol 2 is the default.
Protocol 1 should not be used - it suffers from a number of cryptographic
weaknesses and is only offered to support legacy devices.
.Pp
The methods available for authentication are:
GSSAPI-based authentication,

7
ssh_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.224 2016/02/11 02:56:32 djm Exp $
.Dd $Mdocdate: February 11 2016 $
.\" $OpenBSD: ssh_config.5,v 1.225 2016/02/16 05:11:04 djm Exp $
.Dd $Mdocdate: February 16 2016 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -1270,6 +1270,9 @@ will try version 2 and fall back to version 1
if version 2 is not available.
The default is
.Sq 2 .
Protocol 1 suffers from a number of cryptographic weaknesses and should
not be used.
It is only offered to support legacy devices.
.It Cm ProxyCommand
Specifies the command to use to connect to the server.
The command

8
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.217 2016/02/11 02:56:32 djm Exp $
.Dd $Mdocdate: February 11 2016 $
.\" $OpenBSD: sshd_config.5,v 1.218 2016/02/16 05:11:04 djm Exp $
.Dd $Mdocdate: February 16 2016 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -1342,6 +1342,10 @@ and
Multiple versions must be comma-separated.
The default is
.Sq 2 .
Protocol 1 suffers from a number of cryptographic weaknesses and should
not be used.
It is only offered to support legacy devices.
.Pp
Note that the order of the protocol list does not indicate preference,
because the client selects among multiple protocol versions offered
by the server.