aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2016-08-05 15:32:35 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2016-08-05 15:32:35 +0000
commit44a8f55c90454e47b54d15343f20017551f3e027 (patch)
treee98e4f7766a93614a3bdd3a13babdc30f600b464 /crypto
parentddbd946fa1b45b0edd893ab2c751c12b89e14e84 (diff)
downloadsrc-44a8f55c90454e47b54d15343f20017551f3e027.tar.gz
src-44a8f55c90454e47b54d15343f20017551f3e027.zip
MFH (r303716, r303719): drop SSH1 support, disable DSA by default
PR: 208254 Approved by: re (gjb) Relnotes: yes
Notes
Notes: svn path=/stable/11/; revision=303770
Diffstat (limited to 'crypto')
-rw-r--r--crypto/openssh/FREEBSD-upgrade13
-rw-r--r--crypto/openssh/config.h2
-rw-r--r--crypto/openssh/configure.ac2
-rw-r--r--crypto/openssh/myproposal.h4
-rw-r--r--crypto/openssh/servconf.c2
-rw-r--r--crypto/openssh/ssh_config.518
-rw-r--r--crypto/openssh/sshd_config.518
7 files changed, 19 insertions, 40 deletions
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
index 43e2a743537e..4b31eb3532d6 100644
--- a/crypto/openssh/FREEBSD-upgrade
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -142,30 +142,25 @@
Support for TCP wrappers was removed in upstream 6.7p1. We've
added it back by porting the 6.6p1 code forward.
-6) DSA keys
-
- DSA keys were disabled by default in upstream 6.9p1. We've added
- them back.
-
-7) Agent client reference counting
+6) Agent client reference counting
We've added code to ssh-agent.c to implement client reference
counting; the agent will automatically exit when the last client
disconnects.
-8) Class-based login restrictions
+7) Class-based login restrictions
We've added code to auth2.c to enforce the host.allow, host.deny,
times.allow and times.deny login class capabilities.
-9) HPN
+8) HPN
We no longer have the HPN patches (adaptive buffer size for
increased throughput on high-BxD links), but we recognize and
ignore HPN-related configuration options to avoid breaking existing
configurations.
-A) AES-CBC
+9) AES-CBC
The AES-CBC ciphers were removed from the server-side proposal list
in 6.7p1 due to theoretical weaknesses and the availability of
diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h
index 8e59833afbd0..364ebe33e2ef 100644
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@ -1701,7 +1701,7 @@
/* #undef WITH_SELINUX */
/* include SSH protocol version 1 support */
-#define WITH_SSH1 1
+/* #undef WITH_SSH1 */
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index 05799c864f5e..d8e923a2128d 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -123,7 +123,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
])
openssl=yes
-ssh1=yes
+ssh1=no
AC_ARG_WITH([openssl],
[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
[ if test "x$withval" = "xno" ; then
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
index d286691ebb21..68d29e86b63e 100644
--- a/crypto/openssh/myproposal.h
+++ b/crypto/openssh/myproposal.h
@@ -100,13 +100,11 @@
HOSTKEY_ECDSA_CERT_METHODS \
"ssh-ed25519-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
- "ssh-dss-cert-v01@openssh.com," \
HOSTKEY_ECDSA_METHODS \
"ssh-ed25519," \
"rsa-sha2-512," \
"rsa-sha2-256," \
- "ssh-rsa," \
- "ssh-dss"
+ "ssh-rsa"
/* the actual algorithms */
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index e1e6903eb463..da558de2c19e 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -206,8 +206,6 @@ fill_default_server_options(ServerOptions *options)
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_2;
- if (options->protocol & SSH_PROTO_1)
- error("WARNING: SSH protocol version 1 enabled");
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1)
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 226a802bec98..0a21247f0d77 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -871,10 +871,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
-ssh-dss-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The
@@ -896,10 +894,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
-ssh-dss-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
If hostkeys are known for the destination host then this default is modified
@@ -1336,10 +1332,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
-ssh-dss-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index cc43aad6c86a..78531214a1f9 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -659,10 +659,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
-ssh-dss-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The
@@ -753,10 +751,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
-ssh-dss-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The list of available key types may also be obtained using the
@@ -1372,10 +1368,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
-ssh-dss-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
.Ed
.Pp
The