svn commit: r303770 - in stable/11: crypto/openssh etc/rc.d
Dag-Erling Smørgrav
des at FreeBSD.org
Fri Aug 5 15:32:37 UTC 2016
Author: des
Date: Fri Aug 5 15:32:35 2016
New Revision: 303770
URL: https://svnweb.freebsd.org/changeset/base/303770
Log:
MFH (r303716, r303719): drop SSH1 support, disable DSA by default
PR: 208254
Approved by: re (gjb)
Relnotes: yes
Modified:
stable/11/crypto/openssh/FREEBSD-upgrade
stable/11/crypto/openssh/config.h
stable/11/crypto/openssh/configure.ac
stable/11/crypto/openssh/myproposal.h
stable/11/crypto/openssh/servconf.c
stable/11/crypto/openssh/ssh_config.5
stable/11/crypto/openssh/sshd_config.5
stable/11/etc/rc.d/sshd
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/crypto/openssh/FREEBSD-upgrade
==============================================================================
--- stable/11/crypto/openssh/FREEBSD-upgrade Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/crypto/openssh/FREEBSD-upgrade Fri Aug 5 15:32:35 2016 (r303770)
@@ -142,30 +142,25 @@
Support for TCP wrappers was removed in upstream 6.7p1. We've
added it back by porting the 6.6p1 code forward.
-6) DSA keys
-
- DSA keys were disabled by default in upstream 6.9p1. We've added
- them back.
-
-7) Agent client reference counting
+6) Agent client reference counting
We've added code to ssh-agent.c to implement client reference
counting; the agent will automatically exit when the last client
disconnects.
-8) Class-based login restrictions
+7) Class-based login restrictions
We've added code to auth2.c to enforce the host.allow, host.deny,
times.allow and times.deny login class capabilities.
-9) HPN
+8) HPN
We no longer have the HPN patches (adaptive buffer size for
increased throughput on high-BxD links), but we recognize and
ignore HPN-related configuration options to avoid breaking existing
configurations.
-A) AES-CBC
+9) AES-CBC
The AES-CBC ciphers were removed from the server-side proposal list
in 6.7p1 due to theoretical weaknesses and the availability of
Modified: stable/11/crypto/openssh/config.h
==============================================================================
--- stable/11/crypto/openssh/config.h Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/crypto/openssh/config.h Fri Aug 5 15:32:35 2016 (r303770)
@@ -1701,7 +1701,7 @@
/* #undef WITH_SELINUX */
/* include SSH protocol version 1 support */
-#define WITH_SSH1 1
+/* #undef WITH_SSH1 */
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
Modified: stable/11/crypto/openssh/configure.ac
==============================================================================
--- stable/11/crypto/openssh/configure.ac Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/crypto/openssh/configure.ac Fri Aug 5 15:32:35 2016 (r303770)
@@ -123,7 +123,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha
])
openssl=yes
-ssh1=yes
+ssh1=no
AC_ARG_WITH([openssl],
[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
[ if test "x$withval" = "xno" ; then
Modified: stable/11/crypto/openssh/myproposal.h
==============================================================================
--- stable/11/crypto/openssh/myproposal.h Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/crypto/openssh/myproposal.h Fri Aug 5 15:32:35 2016 (r303770)
@@ -100,13 +100,11 @@
HOSTKEY_ECDSA_CERT_METHODS \
"ssh-ed25519-cert-v01 at openssh.com," \
"ssh-rsa-cert-v01 at openssh.com," \
- "ssh-dss-cert-v01 at openssh.com," \
HOSTKEY_ECDSA_METHODS \
"ssh-ed25519," \
"rsa-sha2-512," \
"rsa-sha2-256," \
- "ssh-rsa," \
- "ssh-dss"
+ "ssh-rsa"
/* the actual algorithms */
Modified: stable/11/crypto/openssh/servconf.c
==============================================================================
--- stable/11/crypto/openssh/servconf.c Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/crypto/openssh/servconf.c Fri Aug 5 15:32:35 2016 (r303770)
@@ -206,8 +206,6 @@ fill_default_server_options(ServerOption
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_2;
- if (options->protocol & SSH_PROTO_1)
- error("WARNING: SSH protocol version 1 enabled");
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1)
Modified: stable/11/crypto/openssh/ssh_config.5
==============================================================================
--- stable/11/crypto/openssh/ssh_config.5 Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/crypto/openssh/ssh_config.5 Fri Aug 5 15:32:35 2016 (r303770)
@@ -871,10 +871,8 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
-ssh-dss-cert-v01 at openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The
@@ -896,10 +894,8 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
-ssh-dss-cert-v01 at openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
If hostkeys are known for the destination host then this default is modified
@@ -1336,10 +1332,8 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
-ssh-dss-cert-v01 at openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The
Modified: stable/11/crypto/openssh/sshd_config.5
==============================================================================
--- stable/11/crypto/openssh/sshd_config.5 Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/crypto/openssh/sshd_config.5 Fri Aug 5 15:32:35 2016 (r303770)
@@ -659,10 +659,8 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
-ssh-dss-cert-v01 at openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The
@@ -753,10 +751,8 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
-ssh-dss-cert-v01 at openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The list of available key types may also be obtained using the
@@ -1372,10 +1368,8 @@ ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ssh-ed25519-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com,
-ssh-dss-cert-v01 at openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The
Modified: stable/11/etc/rc.d/sshd
==============================================================================
--- stable/11/etc/rc.d/sshd Fri Aug 5 15:30:05 2016 (r303769)
+++ stable/11/etc/rc.d/sshd Fri Aug 5 15:32:35 2016 (r303770)
@@ -23,7 +23,7 @@ extra_commands="configtest keygen reload
: ${sshd_rsa1_enable:="no"}
: ${sshd_rsa_enable:="yes"}
-: ${sshd_dsa_enable:="yes"}
+: ${sshd_dsa_enable:="no"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}
More information about the svn-src-stable-11
mailing list