Le 23/02/2018 ? 12:42, Colin Watson a ?crit?:> On Fri, Feb 23, 2018 at 11:46:31AM +0100, mlrx wrote: >> I jumped from an OS to an other since few days. On the new one, >> openssh comes in a much newer version (good thing): 7.6p1 >> sshd lets me know that there are two depreciated options: >> - KeyRegenerationInterval >> - UsePrivilegeSeparation >> >> I search for a place where I can find information about deprecated >> options and how to manage it. > > I can't give you a general answer other than reading git history, but > regarding your specific options: > > * KeyRegenerationInterval was specific to SSH protocol 1, which you > almost certainly weren't using and in any case is no longer supported > in recent versions of OpenSSH. > * sshd now always behaves as if "UsePrivilegeSeparation sandbox" had > been set, and this is no longer configurable. > > In both cases, you should just remove the options from sshd_config.5.Hello, Thank you for your fast answer. May I infer that when an option is deprecated it can simply be deleted and consider that it is a working rule of the dev team (and therefore adopt this mode of operation for the future)? Regards, -- benoist -- benoist
On Fri, Feb 23, 2018 at 02:45:55PM +0100, mlrx wrote:> May I infer that when an option is deprecated it can simply be deleted > and consider that it is a working rule of the dev team (and therefore > adopt this mode of operation for the future)?I'm not a member of the OpenSSH development team, only a packager and occasional contributor, so you can't infer anything like that from my message. It wouldn't surprise me if there've been some times when more migration work is required. -- Colin Watson [cjwatson at debian.org]
On 24 February 2018 at 07:42, Colin Watson <cjwatson at debian.org> wrote:> On Fri, Feb 23, 2018 at 02:45:55PM +0100, mlrx wrote: >> May I infer that when an option is deprecated it can simply be deleted >> and consider that it is a working rule of the dev team (and therefore >> adopt this mode of operation for the future)?Anything that the server (or client for that matter) reports as "line N: FooOption option Deprecated" are no-ops and may safely be removed from the config.> I'm not a member of the OpenSSH development team, only a packager and > occasional contributor, so you can't infer anything like that from my > message. It wouldn't surprise me if there've been some times when more > migration work is required.Times where migration work is required are user-visible changes of behaviour and documented in the release notes[0] for that release, usually under "Potentially-incompatible changes". The specific options in this thread (KeyRegenerationInterval[1]) 7.6p1: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. 7.5p1: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. [0] https://www.openssh.com/releasenotes.html [1] https://man.openbsd.org/OpenBSD-6.0/sshd_config.5#KeyRegenerationInterval -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.