From owner-svn-src-stable@freebsd.org Fri Aug 5 15:32:37 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C39ABB0373; Fri, 5 Aug 2016 15:32:37 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1F4221773; Fri, 5 Aug 2016 15:32:37 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u75FWa3m022855; Fri, 5 Aug 2016 15:32:36 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u75FWZvc022847; Fri, 5 Aug 2016 15:32:35 GMT (envelope-from des@FreeBSD.org) Message-Id: <201608051532.u75FWZvc022847@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Fri, 5 Aug 2016 15:32:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r303770 - in stable/11: crypto/openssh etc/rc.d X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 15:32:37 -0000 Author: des Date: Fri Aug 5 15:32:35 2016 New Revision: 303770 URL: https://svnweb.freebsd.org/changeset/base/303770 Log: MFH (r303716, r303719): drop SSH1 support, disable DSA by default PR: 208254 Approved by: re (gjb) Relnotes: yes Modified: stable/11/crypto/openssh/FREEBSD-upgrade stable/11/crypto/openssh/config.h stable/11/crypto/openssh/configure.ac stable/11/crypto/openssh/myproposal.h stable/11/crypto/openssh/servconf.c stable/11/crypto/openssh/ssh_config.5 stable/11/crypto/openssh/sshd_config.5 stable/11/etc/rc.d/sshd Directory Properties: stable/11/ (props changed) Modified: stable/11/crypto/openssh/FREEBSD-upgrade ============================================================================== --- stable/11/crypto/openssh/FREEBSD-upgrade Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/FREEBSD-upgrade Fri Aug 5 15:32:35 2016 (r303770) @@ -142,30 +142,25 @@ Support for TCP wrappers was removed in upstream 6.7p1. We've added it back by porting the 6.6p1 code forward. -6) DSA keys - - DSA keys were disabled by default in upstream 6.9p1. We've added - them back. - -7) Agent client reference counting +6) Agent client reference counting We've added code to ssh-agent.c to implement client reference counting; the agent will automatically exit when the last client disconnects. -8) Class-based login restrictions +7) Class-based login restrictions We've added code to auth2.c to enforce the host.allow, host.deny, times.allow and times.deny login class capabilities. -9) HPN +8) HPN We no longer have the HPN patches (adaptive buffer size for increased throughput on high-BxD links), but we recognize and ignore HPN-related configuration options to avoid breaking existing configurations. -A) AES-CBC +9) AES-CBC The AES-CBC ciphers were removed from the server-side proposal list in 6.7p1 due to theoretical weaknesses and the availability of Modified: stable/11/crypto/openssh/config.h ============================================================================== --- stable/11/crypto/openssh/config.h Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/config.h Fri Aug 5 15:32:35 2016 (r303770) @@ -1701,7 +1701,7 @@ /* #undef WITH_SELINUX */ /* include SSH protocol version 1 support */ -#define WITH_SSH1 1 +/* #undef WITH_SSH1 */ /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ Modified: stable/11/crypto/openssh/configure.ac ============================================================================== --- stable/11/crypto/openssh/configure.ac Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/configure.ac Fri Aug 5 15:32:35 2016 (r303770) @@ -123,7 +123,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha ]) openssl=yes -ssh1=yes +ssh1=no AC_ARG_WITH([openssl], [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], [ if test "x$withval" = "xno" ; then Modified: stable/11/crypto/openssh/myproposal.h ============================================================================== --- stable/11/crypto/openssh/myproposal.h Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/myproposal.h Fri Aug 5 15:32:35 2016 (r303770) @@ -100,13 +100,11 @@ HOSTKEY_ECDSA_CERT_METHODS \ "ssh-ed25519-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ - "ssh-dss-cert-v01@openssh.com," \ HOSTKEY_ECDSA_METHODS \ "ssh-ed25519," \ "rsa-sha2-512," \ "rsa-sha2-256," \ - "ssh-rsa," \ - "ssh-dss" + "ssh-rsa" /* the actual algorithms */ Modified: stable/11/crypto/openssh/servconf.c ============================================================================== --- stable/11/crypto/openssh/servconf.c Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/servconf.c Fri Aug 5 15:32:35 2016 (r303770) @@ -206,8 +206,6 @@ fill_default_server_options(ServerOption /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; - if (options->protocol & SSH_PROTO_1) - error("WARNING: SSH protocol version 1 enabled"); if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) Modified: stable/11/crypto/openssh/ssh_config.5 ============================================================================== --- stable/11/crypto/openssh/ssh_config.5 Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/ssh_config.5 Fri Aug 5 15:32:35 2016 (r303770) @@ -871,10 +871,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The @@ -896,10 +894,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp If hostkeys are known for the destination host then this default is modified @@ -1336,10 +1332,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The Modified: stable/11/crypto/openssh/sshd_config.5 ============================================================================== --- stable/11/crypto/openssh/sshd_config.5 Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/crypto/openssh/sshd_config.5 Fri Aug 5 15:32:35 2016 (r303770) @@ -659,10 +659,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The @@ -753,10 +751,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The list of available key types may also be obtained using the @@ -1372,10 +1368,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The Modified: stable/11/etc/rc.d/sshd ============================================================================== --- stable/11/etc/rc.d/sshd Fri Aug 5 15:30:05 2016 (r303769) +++ stable/11/etc/rc.d/sshd Fri Aug 5 15:32:35 2016 (r303770) @@ -23,7 +23,7 @@ extra_commands="configtest keygen reload : ${sshd_rsa1_enable:="no"} : ${sshd_rsa_enable:="yes"} -: ${sshd_dsa_enable:="yes"} +: ${sshd_dsa_enable:="no"} : ${sshd_ecdsa_enable:="yes"} : ${sshd_ed25519_enable:="yes"}