svn commit: r303716 - head/crypto/openssh

Wed, 03 Aug 2016 09:09:16 -0700 

Author: des
Date: Wed Aug  3 16:08:21 2016
New Revision: 303716
URL: https://svnweb.freebsd.org/changeset/base/303716

Log:
  Remove DSA from default cipher list and disable SSH1.
  
  Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
  reasons which boil down to POLA.  Now is a good time to catch up.
  
  MFC after:    3 days
  Relnotes:     yes

Modified:
  head/crypto/openssh/FREEBSD-upgrade
  head/crypto/openssh/config.h
  head/crypto/openssh/configure.ac
  head/crypto/openssh/myproposal.h
  head/crypto/openssh/servconf.c
  head/crypto/openssh/ssh_config.5
  head/crypto/openssh/sshd_config.5

Modified: head/crypto/openssh/FREEBSD-upgrade
==============================================================================
--- head/crypto/openssh/FREEBSD-upgrade Wed Aug  3 15:58:20 2016        
(r303715)
+++ head/crypto/openssh/FREEBSD-upgrade Wed Aug  3 16:08:21 2016        
(r303716)
@@ -142,30 +142,25 @@
    Support for TCP wrappers was removed in upstream 6.7p1.  We've
    added it back by porting the 6.6p1 code forward.
 
-6) DSA keys
-
-   DSA keys were disabled by default in upstream 6.9p1.  We've added
-   them back.
-
-7) Agent client reference counting
+6) Agent client reference counting
 
    We've added code to ssh-agent.c to implement client reference
    counting; the agent will automatically exit when the last client
    disconnects.
 
-8) Class-based login restrictions
+7) Class-based login restrictions
 
    We've added code to auth2.c to enforce the host.allow, host.deny,
    times.allow and times.deny login class capabilities.
 
-9) HPN
+8) HPN
 
    We no longer have the HPN patches (adaptive buffer size for
    increased throughput on high-BxD links), but we recognize and
    ignore HPN-related configuration options to avoid breaking existing
    configurations.
 
-A) AES-CBC
+9) AES-CBC
 
    The AES-CBC ciphers were removed from the server-side proposal list
    in 6.7p1 due to theoretical weaknesses and the availability of

Modified: head/crypto/openssh/config.h
==============================================================================
--- head/crypto/openssh/config.h        Wed Aug  3 15:58:20 2016        
(r303715)
+++ head/crypto/openssh/config.h        Wed Aug  3 16:08:21 2016        
(r303716)
@@ -1701,7 +1701,7 @@
 /* #undef WITH_SELINUX */
 
 /* include SSH protocol version 1 support */
-#define WITH_SSH1 1
+/* #undef WITH_SSH1 */
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */

Modified: head/crypto/openssh/configure.ac
==============================================================================
--- head/crypto/openssh/configure.ac    Wed Aug  3 15:58:20 2016        
(r303715)
+++ head/crypto/openssh/configure.ac    Wed Aug  3 16:08:21 2016        
(r303716)
@@ -123,7 +123,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha
 ])
 
 openssl=yes
-ssh1=yes
+ssh1=no
 AC_ARG_WITH([openssl],
        [  --without-openssl       Disable use of OpenSSL; use only limited 
internal crypto **EXPERIMENTAL** ],
        [  if test "x$withval" = "xno" ; then

Modified: head/crypto/openssh/myproposal.h
==============================================================================
--- head/crypto/openssh/myproposal.h    Wed Aug  3 15:58:20 2016        
(r303715)
+++ head/crypto/openssh/myproposal.h    Wed Aug  3 16:08:21 2016        
(r303716)
@@ -100,13 +100,11 @@
        HOSTKEY_ECDSA_CERT_METHODS \
        "ssh-ed25519-cert-...@openssh.com," \
        "ssh-rsa-cert-...@openssh.com," \
-       "ssh-dss-cert-...@openssh.com," \
        HOSTKEY_ECDSA_METHODS \
        "ssh-ed25519," \
        "rsa-sha2-512," \
        "rsa-sha2-256," \
-       "ssh-rsa," \
-       "ssh-dss"
+       "ssh-rsa"
 
 /* the actual algorithms */
 

Modified: head/crypto/openssh/servconf.c
==============================================================================
--- head/crypto/openssh/servconf.c      Wed Aug  3 15:58:20 2016        
(r303715)
+++ head/crypto/openssh/servconf.c      Wed Aug  3 16:08:21 2016        
(r303716)
@@ -206,8 +206,6 @@ fill_default_server_options(ServerOption
        /* Standard Options */
        if (options->protocol == SSH_PROTO_UNKNOWN)
                options->protocol = SSH_PROTO_2;
-       if (options->protocol & SSH_PROTO_1)
-               error("WARNING: SSH protocol version 1 enabled");
        if (options->num_host_key_files == 0) {
                /* fill default hostkeys for protocols */
                if (options->protocol & SSH_PROTO_1)

Modified: head/crypto/openssh/ssh_config.5
==============================================================================
--- head/crypto/openssh/ssh_config.5    Wed Aug  3 15:58:20 2016        
(r303715)
+++ head/crypto/openssh/ssh_config.5    Wed Aug  3 16:08:21 2016        
(r303716)
@@ -871,10 +871,8 @@ ecdsa-sha2-nistp384-cert-...@openssh.com
 ecdsa-sha2-nistp521-cert-...@openssh.com,
 ssh-ed25519-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,
-ssh-dss-cert-...@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 The
@@ -896,10 +894,8 @@ ecdsa-sha2-nistp384-cert-...@openssh.com
 ecdsa-sha2-nistp521-cert-...@openssh.com,
 ssh-ed25519-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,
-ssh-dss-cert-...@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
@@ -1336,10 +1332,8 @@ ecdsa-sha2-nistp384-cert-...@openssh.com
 ecdsa-sha2-nistp521-cert-...@openssh.com,
 ssh-ed25519-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,
-ssh-dss-cert-...@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 The

Modified: head/crypto/openssh/sshd_config.5
==============================================================================
--- head/crypto/openssh/sshd_config.5   Wed Aug  3 15:58:20 2016        
(r303715)
+++ head/crypto/openssh/sshd_config.5   Wed Aug  3 16:08:21 2016        
(r303716)
@@ -659,10 +659,8 @@ ecdsa-sha2-nistp384-cert-...@openssh.com
 ecdsa-sha2-nistp521-cert-...@openssh.com,
 ssh-ed25519-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,
-ssh-dss-cert-...@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 The
@@ -753,10 +751,8 @@ ecdsa-sha2-nistp384-cert-...@openssh.com
 ecdsa-sha2-nistp521-cert-...@openssh.com,
 ssh-ed25519-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,
-ssh-dss-cert-...@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using the
@@ -1372,10 +1368,8 @@ ecdsa-sha2-nistp384-cert-...@openssh.com
 ecdsa-sha2-nistp521-cert-...@openssh.com,
 ssh-ed25519-cert-...@openssh.com,
 ssh-rsa-cert-...@openssh.com,
-ssh-dss-cert-...@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,ssh-ed25519,
-ssh-rsa,ssh-dss
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 The
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to