mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-21 10:19:04 +00:00
Remove DSA from default cipher list and disable SSH1.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes
This commit is contained in:
parent
ad600ac8e3
commit
9ded33068e
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=303716
|
@ -142,30 +142,25 @@
|
|||
Support for TCP wrappers was removed in upstream 6.7p1. We've
|
||||
added it back by porting the 6.6p1 code forward.
|
||||
|
||||
6) DSA keys
|
||||
|
||||
DSA keys were disabled by default in upstream 6.9p1. We've added
|
||||
them back.
|
||||
|
||||
7) Agent client reference counting
|
||||
6) Agent client reference counting
|
||||
|
||||
We've added code to ssh-agent.c to implement client reference
|
||||
counting; the agent will automatically exit when the last client
|
||||
disconnects.
|
||||
|
||||
8) Class-based login restrictions
|
||||
7) Class-based login restrictions
|
||||
|
||||
We've added code to auth2.c to enforce the host.allow, host.deny,
|
||||
times.allow and times.deny login class capabilities.
|
||||
|
||||
9) HPN
|
||||
8) HPN
|
||||
|
||||
We no longer have the HPN patches (adaptive buffer size for
|
||||
increased throughput on high-BxD links), but we recognize and
|
||||
ignore HPN-related configuration options to avoid breaking existing
|
||||
configurations.
|
||||
|
||||
A) AES-CBC
|
||||
9) AES-CBC
|
||||
|
||||
The AES-CBC ciphers were removed from the server-side proposal list
|
||||
in 6.7p1 due to theoretical weaknesses and the availability of
|
||||
|
|
|
@ -1701,7 +1701,7 @@
|
|||
/* #undef WITH_SELINUX */
|
||||
|
||||
/* include SSH protocol version 1 support */
|
||||
#define WITH_SSH1 1
|
||||
/* #undef WITH_SSH1 */
|
||||
|
||||
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
|
||||
significant byte first (like Motorola and SPARC, unlike Intel). */
|
||||
|
|
|
@ -123,7 +123,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
|
|||
])
|
||||
|
||||
openssl=yes
|
||||
ssh1=yes
|
||||
ssh1=no
|
||||
AC_ARG_WITH([openssl],
|
||||
[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
|
||||
[ if test "x$withval" = "xno" ; then
|
||||
|
|
|
@ -100,13 +100,11 @@
|
|||
HOSTKEY_ECDSA_CERT_METHODS \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
"ssh-rsa-cert-v01@openssh.com," \
|
||||
"ssh-dss-cert-v01@openssh.com," \
|
||||
HOSTKEY_ECDSA_METHODS \
|
||||
"ssh-ed25519," \
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256," \
|
||||
"ssh-rsa," \
|
||||
"ssh-dss"
|
||||
"ssh-rsa"
|
||||
|
||||
/* the actual algorithms */
|
||||
|
||||
|
|
|
@ -206,8 +206,6 @@ fill_default_server_options(ServerOptions *options)
|
|||
/* Standard Options */
|
||||
if (options->protocol == SSH_PROTO_UNKNOWN)
|
||||
options->protocol = SSH_PROTO_2;
|
||||
if (options->protocol & SSH_PROTO_1)
|
||||
error("WARNING: SSH protocol version 1 enabled");
|
||||
if (options->num_host_key_files == 0) {
|
||||
/* fill default hostkeys for protocols */
|
||||
if (options->protocol & SSH_PROTO_1)
|
||||
|
|
|
@ -871,10 +871,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,ssh-ed25519,
|
||||
ssh-rsa,ssh-dss
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
|
@ -896,10 +894,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,ssh-ed25519,
|
||||
ssh-rsa,ssh-dss
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
If hostkeys are known for the destination host then this default is modified
|
||||
|
@ -1336,10 +1332,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,ssh-ed25519,
|
||||
ssh-rsa,ssh-dss
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
|
|
|
@ -659,10 +659,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,ssh-ed25519,
|
||||
ssh-rsa,ssh-dss
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
|
@ -753,10 +751,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,ssh-ed25519,
|
||||
ssh-rsa,ssh-dss
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using the
|
||||
|
@ -1372,10 +1368,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-dss-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,ssh-ed25519,
|
||||
ssh-rsa,ssh-dss
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
|
|
Loading…
Reference in a new issue