diff options
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/openssh/FREEBSD-upgrade | 13 | ||||
-rw-r--r-- | crypto/openssh/config.h | 2 | ||||
-rw-r--r-- | crypto/openssh/configure.ac | 2 | ||||
-rw-r--r-- | crypto/openssh/myproposal.h | 4 | ||||
-rw-r--r-- | crypto/openssh/servconf.c | 2 | ||||
-rw-r--r-- | crypto/openssh/ssh_config.5 | 18 | ||||
-rw-r--r-- | crypto/openssh/sshd_config.5 | 18 |
7 files changed, 19 insertions, 40 deletions
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index 43e2a74..4b31eb3 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -142,30 +142,25 @@ Support for TCP wrappers was removed in upstream 6.7p1. We've added it back by porting the 6.6p1 code forward. -6) DSA keys - - DSA keys were disabled by default in upstream 6.9p1. We've added - them back. - -7) Agent client reference counting +6) Agent client reference counting We've added code to ssh-agent.c to implement client reference counting; the agent will automatically exit when the last client disconnects. -8) Class-based login restrictions +7) Class-based login restrictions We've added code to auth2.c to enforce the host.allow, host.deny, times.allow and times.deny login class capabilities. -9) HPN +8) HPN We no longer have the HPN patches (adaptive buffer size for increased throughput on high-BxD links), but we recognize and ignore HPN-related configuration options to avoid breaking existing configurations. -A) AES-CBC +9) AES-CBC The AES-CBC ciphers were removed from the server-side proposal list in 6.7p1 due to theoretical weaknesses and the availability of diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h index 8e59833..364ebe3 100644 --- a/crypto/openssh/config.h +++ b/crypto/openssh/config.h @@ -1701,7 +1701,7 @@ /* #undef WITH_SELINUX */ /* include SSH protocol version 1 support */ -#define WITH_SSH1 1 +/* #undef WITH_SSH1 */ /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac index 05799c8..d8e923a 100644 --- a/crypto/openssh/configure.ac +++ b/crypto/openssh/configure.ac @@ -123,7 +123,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ ]) openssl=yes -ssh1=yes +ssh1=no AC_ARG_WITH([openssl], [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], [ if test "x$withval" = "xno" ; then diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h index d286691..68d29e8 100644 --- a/crypto/openssh/myproposal.h +++ b/crypto/openssh/myproposal.h @@ -100,13 +100,11 @@ HOSTKEY_ECDSA_CERT_METHODS \ "ssh-ed25519-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ - "ssh-dss-cert-v01@openssh.com," \ HOSTKEY_ECDSA_METHODS \ "ssh-ed25519," \ "rsa-sha2-512," \ "rsa-sha2-256," \ - "ssh-rsa," \ - "ssh-dss" + "ssh-rsa" /* the actual algorithms */ diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index e1e6903..da558de 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -206,8 +206,6 @@ fill_default_server_options(ServerOptions *options) /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; - if (options->protocol & SSH_PROTO_1) - error("WARNING: SSH protocol version 1 enabled"); if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 226a802..0a21247 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -871,10 +871,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The @@ -896,10 +894,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp If hostkeys are known for the destination host then this default is modified @@ -1336,10 +1332,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index cc43aad..7853121 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -659,10 +659,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The @@ -753,10 +751,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The list of available key types may also be obtained using the @@ -1372,10 +1368,8 @@ ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -ssh-dss-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ecdsa-sha2-nistp521,ssh-ed25519, -ssh-rsa,ssh-dss +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ssh-ed25519,ssh-rsa .Ed .Pp The |