openssh unix dev - Mar 2015 - FYI: SSH1 now disabled at compile-time by default

Hi,

OpenSSH git master now disabled SSH protocol 1 at compile time by
default. If you want it back, then you'll need to pass --with-ssh1
to configure before you build.

We expect to ship this configuration for openssh-6.9 in a few
months.

-d

Hmm.  Feels a little aggressive for ssh client.  Support heartily for sshd.

--Dan

On Tue, Mar 24, 2015 at 4:26 PM, Damien Miller <djm at mindrot.org> wrote:
> Hi,
>
> OpenSSH git master now disabled SSH protocol 1 at compile time by
> default. If you want it back, then you'll need to pass --with-ssh1
> to configure before you build.
>
> We expect to ship this configuration for openssh-6.9 in a few
> months.
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

On Tue, 24 Mar 2015, Dan Kaminsky wrote:
> Hmm.  Feels a little aggressive for ssh client.  Support heartily for sshd.
People who need it can build their own, or OS vendors might supply a
non-default v.1 capable client binary themselves.

IMO it's time to apply some selection pressure to a protocol that can't
be secured.

-d

On Wed, 2015-03-25 at 10:26 +1100, Damien Miller wrote: 
> OpenSSH git master now disabled SSH protocol 1 at compile time by
> default. If you want it back, then you'll need to pass --with-ssh1
> to configure before you build.
+1

- People who use SSH are expected to want security (which v1 doesn't
provide) - people wo actually don't want security, shouldn't have used
SSH in the first place, but could have used rsh, telnet, etc.

- Many distros shipped it anyway with v1 disabled.

- It's not removed from the code but just disabled at compile time, if
people really think they'd desperately need it, they can compile on
their own.


Good move!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150325/a71bd5df/attachment.bin>

Hi,

On Wed, Mar 25, 2015 at 10:26:22AM +1100, Damien Miller
wrote:
> OpenSSH git master now disabled SSH protocol 1 at compile time by
> default. If you want it back, then you'll need to pass --with-ssh1
> to configure before you build.
I applaud the decision to remove ssh v1 (by default) from the sshd side
of things.  OTOH, I have to deal with lots of stupid and old devices that 
do not offer SSH v2 (Routers, Switches, that sort of stuff), so having v1 
in the *client* (only!) is something I would miss...

SSHv1 might not be great, but it's better than (unencrypted) telnet.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at
greenie.muc.de
fax: +49-89-35655025                        gert at
net.informatik.tu-muenchen.de

On 25 Mar 2015, at 03:15, Christoph Anton Mitterer <calestyo at
scientia.net> wrote:
> On Wed, 2015-03-25 at 10:26 +1100, Damien Miller wrote: 
>> OpenSSH git master now disabled SSH protocol 1 at compile time by
>> default. If you want it back, then you'll need to pass --with-ssh1
>> to configure before you build.
> +1
> 
> - People who use SSH are expected to want security (which v1 doesn't
> provide) - people wo actually don't want security, shouldn't have
used
> SSH in the first place, but could have used rsh, telnet, etc.
+1 for doing it in sshd.

For the client, one issue is that it's not easy for the naive ssh
user to tell if the equipment they are using supports ssh2 or just
ssh1. For instance, the user currently using an ssh1-supporting
ssh client to reach their cisco router doesn't (as I understand it)
get warned if the cisco router only supports ssh1.

Would one option for the client to be to display a (suppressible)
'The server you are connecting to only supports ssh protocol
version 1 which is potentially insecure, and for which
support will soon be removed - continue (y/n)' type
prompt by default? This could continue for a couple of major
releases.

-- 
Alex Bligh




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150325/c2af731e/attachment.bin>

On 25/03/15 00:26, Damien Miller wrote:
> Hi,
>
> OpenSSH git master now disabled SSH protocol 1 at compile time by
> default. If you want it back, then you'll need to pass --with-ssh1
> to configure before you build.
>
> We expect to ship this configuration for openssh-6.9 in a few
> months.
>
> -d
>
At the latest I see at anongit.mindrot, 
5c27e3b6ec2db711dfcd40e6359c0bcdd0b62ea9
configure option is --without-ssh1, with ssh1 _enabled_ by default. What 
am I missing?

On Fri, 27 Mar 2015, ?ngel Gonz?lez wrote:
> On 25/03/15 00:26, Damien Miller wrote:
> > Hi,
> > 
> > OpenSSH git master now disabled SSH protocol 1 at compile time by
> > default. If you want it back, then you'll need to pass --with-ssh1
> > to configure before you build.
> > 
> > We expect to ship this configuration for openssh-6.9 in a few
> > months.
> > 
> > -d
> > 
> At the latest I see at anongit.mindrot,
> 5c27e3b6ec2db711dfcd40e6359c0bcdd0b62ea9
> configure option is --without-ssh1, with ssh1 _enabled_ by default. What am
I
> missing?
it's not you, it's me (forgot to push to the mirrors)