From owner-freebsd-questions@freebsd.org Sat Jul 14 04:42:16 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B71D103B9D8 for ; Sat, 14 Jul 2018 04:42:16 +0000 (UTC) (envelope-from FreeBSD@shaneware.biz) Received: from ipmail06.adl6.internode.on.net (ipmail06.adl6.internode.on.net [150.101.137.145]) by mx1.freebsd.org (Postfix) with ESMTP id 3ECD488C42 for ; Sat, 14 Jul 2018 04:42:14 +0000 (UTC) (envelope-from FreeBSD@shaneware.biz) Received: from 124-169-217-176.dyn.iinet.net.au (HELO leader.local) ([124.169.217.176]) by ipmail06.adl6.internode.on.net with ESMTP; 14 Jul 2018 14:07:03 +0930 Subject: Re: ssh on 11.2 To: doug@safeport.com, Doug McIntyre Cc: freebsd-questions@FreeBSD.org References: <20180713135754.GA74801@geeks.org> From: Shane Ambler Message-ID: Date: Sat, 14 Jul 2018 14:07:01 +0930 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-AU Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2018 04:42:16 -0000 On 14/07/2018 02:14, doug wrote: > > On Fri, 13 Jul 2018, Doug McIntyre wrote: > >> On Thu, Jul 12, 2018 at 05:17:25PM -0400, doug wrote: >>> After going to 11.2 from 11.1 authorized_keys2 MUST be renamed to >>> authorized_keys. I spent a bit of time checking permissions and keys >>> before >>> comparing /etc/ssh/sshd_config. This might be implied in some of the >>> Open-ssh >>> errata but not so I got it. A note in UPDATING might be nice, or did >>> I just miss >>> this? >> >> Wow, you had an authorized_keys2 file? That was deprecated in OpenSSH 3.0 >> https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2 >> >> Your setup must have been copied along for quite some time. >> >> My guess is that OpenSSH finally removed support of it (although I'd >> have guessed the support would have been removed long ago), as part >> of the general cleanup. The changeover happened eons ago, so they >> probably figured nobody had that version any longer. >> > Thanks for the info. Yea one of my keys is from the previous millennium. > But my point remains. So you peaked my curiosity. FreeBSD takes no note > of this as far as I can find. https://www.openssh.com/releasenotes.html > covers OpenSSH 7.7/7.7p1 (2018-04-02)  to openSSH 1.2.3p1 (2000-03-24). > And indeed OpenSSH 5.9/5.9p1 (2011-09-06) notes authorized_keys2 is > deprecated. That's not noted in UPDATING either. Without the comment in > sshd_config it I would still be looking. One of the guys I work with has > never used authorized_keys2 so I would have gotten it eventually from > that. Back in the very eary ssh days I wanted to do a simple change that > was eventually implemented. But from that I know I am not up to reading > the ssh code. This goes back a while, but the last time use of authorized_keys2 was removed in head was in Aug 2017 with the upgrade to OpenSSh 7.5p1 which got merged to stable/11 in Sept 2017 meaning 11.2 doesn't allow it this time, stable/10 still allows its use. Back in Mar 2013 (r248465) FreeBSD replaced the use of authorized_keys2 as the previous removal caught many off guard. So keeping support for this long was a FreeBSD adjustment. Support for the authorized_keys2 filename was and can be set in /etc/sshd_config - You will find releng/8.3 and releng/9.1 both removed authorized_keys2 with 8.4 and 9.2 replacing it. Also of note is that during these changes using authorized_keys was acceptable. AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 So... our time for saying we weren't warned has long past. -- FreeBSD - the place to B...Securing Domains Shane Ambler