Date: Fri, 5 Aug 2016 15:32:35 +0000 (UTC) From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r303770 - in stable/11: crypto/openssh etc/rc.d Message-ID: <201608051532.u75FWZvc022847@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Fri Aug 5 15:32:35 2016 New Revision: 303770 URL: https://svnweb.freebsd.org/changeset/base/303770 Log: MFH (r303716, r303719): drop SSH1 support, disable DSA by default PR: 208254 Approved by: re (gjb) Relnotes: yes Modified: stable/11/crypto/openssh/FREEBSD-upgrade stable/11/crypto/openssh/config.h stable/11/crypto/openssh/configure.ac stable/11/crypto/openssh/myproposal.h stable/11/crypto/openssh/servconf.c stable/11/crypto/openssh/ssh_config.5 stable/11/crypto/openssh/sshd_config.5 stable/11/etc/rc.d/sshd Directory Properties: stable/11/ (props changed) Modified: stable/11/crypto/openssh/FREEBSD-upgrade ============================================================================== --- stable/11/crypto/openssh/FREEBSD-upgrade Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/FREEBSD-upgrade Fri Aug 5 15:32:35 2016 (r303770) @@ -142,30 +142,25 @@ Support for TCP wrappers was removed in upstream 6.7p1. We've added it back by porting the 6.6p1 code forward. -6) DSA keys - - DSA keys were disabled by default in upstream 6.9p1. We've added - them back. - -7) Agent client reference counting +6) Agent client reference counting We've added code to ssh-agent.c to implement client reference counting; the agent will automatically exit when the last client disconnects. -8) Class-based login restrictions +7) Class-based login restrictions We've added code to auth2.c to enforce the host.allow, host.deny, times.allow and times.deny login class capabilities. -9) HPN +8) HPN We no longer have the HPN patches (adaptive buffer size for increased throughput on high-BxD links), but we recognize and ignore HPN-related configuration options to avoid breaking existing configurations. -A) AES-CBC +9) AES-CBC The AES-CBC ciphers were removed from the server-side proposal list in 6.7p1 due to theoretical weaknesses and the availability of Modified: stable/11/crypto/openssh/config.h ============================================================================== --- stable/11/crypto/openssh/config.h Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/config.h Fri Aug 5 15:32:35 2016 (r303770) @@ -1701,7 +1701,7 @@ /* #undef WITH_SELINUX */ /* include SSH protocol version 1 support */ -#define WITH_SSH1 1 +/* #undef WITH_SSH1 */ /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ Modified: stable/11/crypto/openssh/configure.ac ============================================================================== --- stable/11/crypto/openssh/configure.ac Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/configure.ac Fri Aug 5 15:32:35 2016 (r303770) @@ -123,7 +123,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha ]) openssl=yes -ssh1=yes +ssh1=no AC_ARG_WITH([openssl], [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], [ if test "x$withval" = "xno" ; then Modified: stable/11/crypto/openssh/myproposal.h ============================================================================== --- stable/11/crypto/openssh/myproposal.h Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/myproposal.h Fri Aug 5 15:32:35 2016 (r303770) @@ -100,13 +100,11 @@ HOSTKEY_ECDSA_CERT_METHODS \ "ssh-ed25519-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ - "ssh-dss-cert-v01@openssh.com," \ HOSTKEY_ECDSA_METHODS \ "ssh-ed25519," \ "rsa-sha2-512," \ "rsa-sha2-256," \ - "ssh-rsa," \ - "ssh-dss" + "ssh-rsa" /* the actual algorithms */ Modified: stable/11/crypto/openssh/servconf.c ============================================================================== --- stable/11/crypto/openssh/servconf.c Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/servconf.c Fri Aug 5 15:32:35 2016 (r303770) @@ -206,8 +206,6 @@ fill_default_server_options(ServerOption /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; - if (options->protocol & SSH_PROTO_1) - error("WARNING: SSH protocol version 1 enabled"); if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) Modified: stable/11/crypto/openssh/ssh_config.5 ============================================================================== --- stable/11/crypto/openssh/ssh_config.5 Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/ssh_config.5 Fri Aug 5 15:32:35 2016 (r303770) @@ -871,10 +871,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The @@ -896,10 +894,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp If hostkeys are known for the destination host then this default is modified @@ -1336,10 +1332,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The Modified: stable/11/crypto/openssh/sshd_config.5 ============================================================================== --- stable/11/crypto/openssh/sshd_config.5 Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/sshd_config.5 Fri Aug 5 15:32:35 2016 (r303770) @@ -659,10 +659,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The @@ -753,10 +751,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The list of available key types may also be obtained using the @@ -1372,10 +1368,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The Modified: stable/11/etc/rc.d/sshd ============================================================================== --- stable/11/etc/rc.d/sshd Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/etc/rc.d/sshd Fri Aug 5 15:32:35 2016 (r303770) @@ -23,7 +23,7 @@ extra_commands="configtest keygen reload : ${sshd_rsa1_enable:="no"} : ${sshd_rsa_enable:="yes"} -: ${sshd_dsa_enable:="yes"} +: ${sshd_dsa_enable:="no"} : ${sshd_ecdsa_enable:="yes"} : ${sshd_ed25519_enable:="yes"}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608051532.u75FWZvc022847>