upstream commit

Catch up with the SSH1 code removal and delete all
mention of protocol 1 particularities, key files and formats, command line
options, and configuration keywords from the server documentation and
examples.  ok jmc@

Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f

sshd.8

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
-.Dd $Mdocdate: February 17 2016 $
+.\" $OpenBSD: sshd.8,v 1.285 2016/08/15 12:32:04 naddy Exp $
+.Dd $Mdocdate: August 15 2016 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -44,14 +44,12 @@
 .Nm sshd
 .Bk -words
 .Op Fl 46DdeiqTt
-.Op Fl b Ar bits
 .Op Fl C Ar connection_spec
 .Op Fl c Ar host_certificate_file
 .Op Fl E Ar log_file
 .Op Fl f Ar config_file
 .Op Fl g Ar login_grace_time
 .Op Fl h Ar host_key_file
-.Op Fl k Ar key_gen_time
 .Op Fl o Ar option
 .Op Fl p Ar port
 .Op Fl u Ar len
@@ -96,9 +94,6 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
-.It Fl b Ar bits
-Specifies the number of bits in the ephemeral protocol version 1
-server key (default 1024).
 .It Fl C Ar connection_spec
 Specify the connection parameters to use for the
 .Fl T
@@ -169,36 +164,18 @@ This option must be given if
 is not run as root (as the normal
 host key files are normally not readable by anyone but root).
 The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
 .Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key .
+.Pa /etc/ssh/ssh_host_ecdsa_key ,
 .Pa /etc/ssh/ssh_host_ed25519_key
 and
-.Pa /etc/ssh/ssh_host_rsa_key
-for protocol version 2.
+.Pa /etc/ssh/ssh_host_rsa_key .
 It is possible to have multiple host key files for
-the different protocol versions and host key algorithms.
+the different host key algorithms.
 .It Fl i
 Specifies that
 .Nm
 is being run from
 .Xr inetd 8 .
-If SSH protocol 1 is enabled,
-.Nm
-should not  normally be run
-from inetd because it needs to generate the server key before it can
-respond to the client, and this may take some time.
-Clients may have to wait too long if the key was regenerated every time.
-.It Fl k Ar key_gen_time
-Specifies how often the ephemeral protocol version 1 server key is
-regenerated (default 3600 seconds, or one hour).
-The motivation for regenerating the key fairly
-often is that the key is not stored anywhere, and after about an hour
-it becomes impossible to recover the key for decrypting intercepted
-communications even if the machine is cracked into or physically
-seized.
-A value of zero indicates that the key will never be regenerated.
 .It Fl o Ar option
 Can be used to give options in the format used in the configuration file.
 This is useful for specifying options for which there is no separate
@@ -257,8 +234,7 @@ may also be used to prevent
 from making DNS requests unless the authentication
 mechanism or configuration requires it.
 Authentication mechanisms that may require DNS include
-.Cm RhostsRSAAuthentication ,
-.Cm HostbasedAuthentication ,
+.Cm HostbasedAuthentication
 and using a
 .Cm from="pattern-list"
 option in a key file.
@@ -269,42 +245,14 @@ or
 .Cm DenyUsers .
 .El
 .Sh AUTHENTICATION
-The OpenSSH SSH daemon supports SSH protocols 1 and 2.
-The default is to use protocol 2 only,
-though this can be changed via the
-.Cm Protocol
-option in
-.Xr sshd_config 5 .
-Protocol 1 should not be used
-and is only offered to support legacy devices.
-.Pp
+The OpenSSH SSH daemon supports SSH protocol 2 only.
 Each host has a host-specific key,
 used to identify the host.
-Partial forward security for protocol 1 is provided through
-an additional server key,
-normally 1024 bits,
-generated when the server starts.
-This key is normally regenerated every hour if it has been used, and
-is never stored on disk.
 Whenever a client connects, the daemon responds with its public
-host and server keys.
+host key.
 The client compares the
-RSA host key against its own database to verify that it has not changed.
-The client then generates a 256-bit random number.
-It encrypts this
-random number using both the host key and the server key, and sends
-the encrypted number to the server.
-Both sides then use this
-random number as a session key which is used to encrypt all further
-communications in the session.
-The rest of the session is encrypted
-using a conventional cipher, currently Blowfish or 3DES, with 3DES
-being used by default.
-The client selects the encryption algorithm
-to use from those offered by the server.
-.Pp
-For protocol 2,
-forward security is provided through a Diffie-Hellman key agreement.
+host key against its own database to verify that it has not changed.
+Forward security is provided through a Diffie-Hellman key agreement.
 This key agreement results in a shared session key.
 The rest of the session is encrypted using a symmetric cipher, currently
 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
@@ -477,32 +425,25 @@ key (empty lines and lines starting with a
 .Ql #
 are ignored as
 comments).
-Protocol 1 public keys consist of the following space-separated fields:
-options, bits, exponent, modulus, comment.
-Protocol 2 public key consist of:
+Public keys consist of the following space-separated fields:
 options, keytype, base64-encoded key, comment.
-The options field is optional;
-its presence is determined by whether the line starts
-with a number or not (the options field never starts with a number).
-The bits, exponent, modulus, and comment fields give the RSA key for
-protocol version 1; the
-comment field is not used for anything (but may be convenient for the
-user to identify the key).
-For protocol version 2 the keytype is
+The options field is optional.
+The keytype is
 .Dq ecdsa-sha2-nistp256 ,
 .Dq ecdsa-sha2-nistp384 ,
 .Dq ecdsa-sha2-nistp521 ,
 .Dq ssh-ed25519 ,
 .Dq ssh-dss
 or
-.Dq ssh-rsa .
+.Dq ssh-rsa ;
+the comment field is not used for anything (but may be convenient for the
+user to identify the key).
 .Pp
-Note that lines in this file are usually several hundred bytes long
+Note that lines in this file can be several hundred bytes long
 (because of the size of the public key encoding) up to a limit of
 8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
 keys up to 16 kilobits.
 You don't want to type them in; instead, copy the
-.Pa identity.pub ,
 .Pa id_dsa.pub ,
 .Pa id_ecdsa.pub ,
 .Pa id_ed25519.pub ,
@@ -511,8 +452,7 @@ or the
 file and edit it.
 .Pp
 .Nm
-enforces a minimum RSA key modulus size for protocol 1
-and protocol 2 keys of 768 bits.
+enforces a minimum RSA key modulus size of 768 bits.
 .Pp
 The options (if present) consist of comma-separated option
 specifications.
@@ -690,7 +630,7 @@ maintained automatically: whenever the user connects from an unknown host,
 its key is added to the per-user file.
 .Pp
 Each line in these files contains the following fields: markers (optional),
-hostnames, bits, exponent, modulus, comment.
+hostnames, keytype, base64-encoded key, comment.
 The fields are separated by spaces.
 .Pp
 The marker is optional, but if it is present then it must be one of
@@ -731,9 +671,9 @@ character.
 Only one hashed hostname may appear on a single line and none of the above
 negation or wildcard operators may be applied.
 .Pp
-Bits, exponent, and modulus are taken directly from the RSA host key; they
+The keytype and base64-encoded key are taken directly from the host key; they
 can be obtained, for example, from
-.Pa /etc/ssh/ssh_host_key.pub .
+.Pa /etc/ssh/ssh_host_rsa_key.pub .
 The optional comment field continues to the end of the line, and is not used.
 .Pp
 Lines starting with
@@ -772,8 +712,8 @@ Note that the lines in these files are typically hundreds of characters
 long, and you definitely don't want to type in the host keys by hand.
 Rather, generate them by a script,
 .Xr ssh-keyscan 1
-or by taking
-.Pa /etc/ssh/ssh_host_key.pub
+or by taking, for example,
+.Pa /etc/ssh/ssh_host_rsa_key.pub
 and adding the host names at the front.
 .Xr ssh-keygen 1
 also offers some basic automated editing for
@@ -912,7 +852,6 @@ This file is used in exactly the same way as
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
-.It Pa /etc/ssh/ssh_host_key
 .It Pa /etc/ssh/ssh_host_dsa_key
 .It Pa /etc/ssh/ssh_host_ecdsa_key
 .It Pa /etc/ssh/ssh_host_ed25519_key
@@ -924,7 +863,6 @@ Note that
 .Nm
 does not start if these files are group/world-accessible.
 .Pp
-.It Pa /etc/ssh/ssh_host_key.pub
 .It Pa /etc/ssh/ssh_host_dsa_key.pub
 .It Pa /etc/ssh/ssh_host_ecdsa_key.pub
 .It Pa /etc/ssh/ssh_host_ed25519_key.pub

sshd_config

@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $
+#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -15,21 +15,11 @@
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# The default requires explicit activation of protocol 1
-#Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
 
@@ -45,7 +35,6 @@
 #MaxAuthTries 6
 #MaxSessions 10
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -58,11 +47,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes

sshd_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.228 2016/08/12 19:19:04 jca Exp $
-.Dd $Mdocdate: August 12 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $
+.Dd $Mdocdate: August 15 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -230,8 +230,6 @@ of
 .Dq publickey,publickey
 will require successful authentication using two different public keys.
 .Pp
-This option will yield a fatal
-error if enabled if protocol 1 is also enabled.
 Note that each authentication method listed should also be explicitly enabled
 in the configuration.
 The default
@@ -709,15 +707,12 @@ is not to load any certificates.
 .It Cm HostKey
 Specifies a file containing a private host key
 used by SSH.
-The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
+The defaults are
 .Pa /etc/ssh/ssh_host_dsa_key ,
 .Pa /etc/ssh/ssh_host_ecdsa_key ,
 .Pa /etc/ssh/ssh_host_ed25519_key
 and
-.Pa /etc/ssh/ssh_host_rsa_key
-for protocol version 2.
+.Pa /etc/ssh/ssh_host_rsa_key .
 .Pp
 Note that
 .Xr sshd 8
@@ -728,14 +723,6 @@ option restricts which of the keys are actually used by
 .Xr sshd 8 .
 .Pp
 It is possible to have multiple host key files.
-.Dq rsa1
-keys are used for version 1 and
-.Dq dsa ,
-.Dq ecdsa ,
-.Dq ed25519
-or
-.Dq rsa
-are used for version 2 of the SSH protocol.
 It is also possible to specify public host key files instead.
 In this case operations on the private key will be delegated
 to an
@@ -774,8 +761,6 @@ Specifies that
 and
 .Pa .shosts
 files will not be used in
-.Cm RhostsRSAAuthentication
-or
 .Cm HostbasedAuthentication .
 .Pp
 .Pa /etc/hosts.equiv
@@ -790,8 +775,6 @@ Specifies whether
 should ignore the user's
 .Pa ~/.ssh/known_hosts
 during
-.Cm RhostsRSAAuthentication
-or
 .Cm HostbasedAuthentication .
 The default is
 .Dq no .
@@ -910,15 +893,6 @@ option of
 .Xr ssh 1
 with an argument of
 .Dq kex .
-.It Cm KeyRegenerationInterval
-In protocol version 1, the ephemeral server key is automatically regenerated
-after this many seconds (if it has been used).
-The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.
-The key is never stored anywhere.
-If the value is 0, the key is never regenerated.
-The default is 3600 (seconds).
 .It Cm ListenAddress
 Specifies the local addresses
 .Xr sshd 8
@@ -1127,8 +1101,6 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
-.Cm RhostsRSAAuthentication ,
-.Cm RSAAuthentication ,
 .Cm StreamLocalBindMask ,
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
@@ -1333,28 +1305,6 @@ when a user logs in interactively.
 or equivalent.)
 The default is
 .Dq yes .
-.It Cm Protocol
-Specifies the protocol versions
-.Xr sshd 8
-supports.
-The possible values are
-.Sq 1
-and
-.Sq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Sq 2 .
-Protocol 1 suffers from a number of cryptographic weaknesses and should
-not be used.
-It is only offered to support legacy devices.
-.Pp
-Note that the order of the protocol list does not indicate preference,
-because the client selects among multiple protocol versions offered
-by the server.
-Specifying
-.Dq 2,1
-is identical to
-.Dq 1,2 .
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
 as a comma-separated pattern list.
@@ -1419,20 +1369,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
-.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm RSAAuthentication
-Specifies whether pure RSA authentication is allowed.
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm ServerKeyBits
-Defines the number of bits in the ephemeral protocol version 1 server key.
-The default and minimum value is 1024.
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask