OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
OpenSSH Removes SSHv1 Support
Contributed by pitrh on Mon May 1 10:25:52 2017 (GMT)
from the it was a step up from telnet once dept.

In a series of commits starting here and ending with this one, Damien Miller completed the removal of all support for the now-historic SSHv1 protocol from OpenSSH.

The final commit message, for the commit that removes the SSHv1 related regression tests, reads:

Eliminate explicit specification of protocol in tests and loops over protocol. We only support SSHv2 now.

Dropping support for SSHv1 and associated ciphers that were either suspected to or known to be broken has been planned for several releases, and has been eagerly anticipated by many in the OpenBSD camp.

In practical terms this means that starting with OpenBSD-current and snapshots as they will be very soon (and further down the road OpenBSD 6.2 with OpenSSH 7.6), the arcane options you used with ssh to connect to some end-of-life gear in a derelict data centre you don't want to visit anymore will no longer work and you will be forced do the reasonable thing. Upgrade.

Longtime OpenBSD developer Bob Beck's public reaction on Twitter was to the point:

Others have described the long-planned move variously as "a mercy killing" and "a cause for major celebrations".

Now is a great time to prepare to decommission or upgrade any equipment that still relies on the long deprecated protocol. You will be making your users safer in the process.

[topicopenssh]

<< OpenBSD 6.1 Song Released | Reply | Flattened | Collapsed | Errata and (First) Binary Patches Announced >>

Threshold: Help

Related Links
more by pitrh


  Re: OpenSSH Removes SSHv1 Support (mod 2/8)
by Renaud Allard (renaud) (renaud@allard.it) on Mon May 1 08:16:29 2017 (GMT)
  OpenBSD 6.1 already has Openssh 7.5. I suppose you meant 7.6
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: OpenSSH Removes SSHv1 Support (mod 2/10)
by Peter N. M. Hansteen (pitrh) on Mon May 1 10:26:32 2017 (GMT)
http://bsdly.blogspot.com/
  > OpenBSD 6.1 already has Openssh 7.5. I suppose you meant 7.6

corrected in the stor, thanks!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: OpenSSH Removes SSHv1 Support (mod -4/4)
by Anonymous Coward (87.118.116.12) on Mon May 8 01:26:09 2017 (GMT)
  > OpenBSD 6.1 already has Openssh 7.5. I suppose you meant 7.6
Then how come on openbsd.org/plus61.html and the OpenBSD 6.1 announcement, it has "OpenSSH 7.4" on it?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenSSH Removes SSHv1 Support (mod 0/6)
by sthen (82.68.199.128) on Mon May 1 09:36:59 2017 (GMT)
  Even as a user of end-of-life networking gear, removing SSHv1 really isn't going to have much effect. And I'm still going to need the arcane options (mostly for old kex methods).
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenSSH Removes SSHv1 Support (mod 4/12)
by Bob Beck (184.70.180.51) (beck@openbsd.org) on Mon May 1 13:43:43 2017 (GMT)
  In all honesty, if you are using this still (as I am to access some old terminal services used for OOB serial access) - You already have to
have the device itself firewalled off from the universe by something modern (i.e. an OpenBSD box in front of it and a private network). At that point the solution is really simple. These devices all support telnet. Just use telnet.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: OpenSSH Removes SSHv1 Support (mod 2/10)
by Darren Tucker (dtucker) on Wed May 3 03:42:35 2017 (GMT)
 

It's also pretty easy to build and install openssh 7.5p1 on another path and keep that around specifically for talking to those devices.

We even fixed one or two SSHv1 bugs for 7.5 knowing that it was about to be ripped out to support this kind of use case.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: OpenSSH Removes SSHv1 Support (mod 3/7)
by Anonymous Cowboy (87.118.116.12) on Mon May 8 01:23:59 2017 (GMT)
  In OpenBSD 6.1 changelog, OpenSSH 7.4 changes state "Server support for the SSH v.1 protocol has been removed."

So presumably, the recent changes here are for the client support, and probably removing the existing dead code on the server side. Server-side support was already removed before.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]