Date: Sat, 14 Jul 2018 14:07:01 +0930 From: Shane Ambler <FreeBSD@ShaneWare.Biz> To: doug@safeport.com, Doug McIntyre <merlyn@geeks.org> Cc: freebsd-questions@FreeBSD.org Subject: Re: ssh on 11.2 Message-ID: <f2caefba-b52d-2632-ac6a-3e288bee228b@ShaneWare.Biz> In-Reply-To: <alpine.BSF.2.20.1807131146450.24627@fledge.watson.org> References: <alpine.BSF.2.20.1807121708140.24627@fledge.watson.org> <20180713135754.GA74801@geeks.org> <alpine.BSF.2.20.1807131146450.24627@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14/07/2018 02:14, doug wrote: > > On Fri, 13 Jul 2018, Doug McIntyre wrote: > >> On Thu, Jul 12, 2018 at 05:17:25PM -0400, doug wrote: >>> After going to 11.2 from 11.1 authorized_keys2 MUST be renamed to >>> authorized_keys. I spent a bit of time checking permissions and keys >>> before >>> comparing /etc/ssh/sshd_config. This might be implied in some of the >>> Open-ssh >>> errata but not so I got it. A note in UPDATING might be nice, or did >>> I just miss >>> this? >> >> Wow, you had an authorized_keys2 file? That was deprecated in OpenSSH 3.0 >> https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2 >> >> Your setup must have been copied along for quite some time. >> >> My guess is that OpenSSH finally removed support of it (although I'd >> have guessed the support would have been removed long ago), as part >> of the general cleanup. The changeover happened eons ago, so they >> probably figured nobody had that version any longer. >> > Thanks for the info. Yea one of my keys is from the previous millennium. > But my point remains. So you peaked my curiosity. FreeBSD takes no note > of this as far as I can find. https://www.openssh.com/releasenotes.html > covers OpenSSH 7.7/7.7p1 (2018-04-02) to openSSH 1.2.3p1 (2000-03-24). > And indeed OpenSSH 5.9/5.9p1 (2011-09-06) notes authorized_keys2 is > deprecated. That's not noted in UPDATING either. Without the comment in > sshd_config it I would still be looking. One of the guys I work with has > never used authorized_keys2 so I would have gotten it eventually from > that. Back in the very eary ssh days I wanted to do a simple change that > was eventually implemented. But from that I know I am not up to reading > the ssh code. This goes back a while, but the last time use of authorized_keys2 was removed in head was in Aug 2017 with the upgrade to OpenSSh 7.5p1 which got merged to stable/11 in Sept 2017 meaning 11.2 doesn't allow it this time, stable/10 still allows its use. Back in Mar 2013 (r248465) FreeBSD replaced the use of authorized_keys2 as the previous removal caught many off guard. So keeping support for this long was a FreeBSD adjustment. Support for the authorized_keys2 filename was and can be set in /etc/sshd_config - You will find releng/8.3 and releng/9.1 both removed authorized_keys2 with 8.4 and 9.2 replacing it. Also of note is that during these changes using authorized_keys was acceptable. AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 So... our time for saying we weren't warned has long past. -- FreeBSD - the place to B...Securing Domains Shane Ambler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f2caefba-b52d-2632-ac6a-3e288bee228b>