On Tue, May 03, 2016 at 10:33:29PM +1000, Damien Miller wrote: > We've had this old protocol in various stages of deprecation for almost > 10 years and it has been compile-time disabled for about a year. > Downstream vendors, to their credit, have included this change in recent > OS releases by shipping OpenSSH packages that disable protocol 1 by > default and/or offering separate, non-default packages to enable it. Debian takes the latter approach. Specifically, we have an "openssh-client-ssh1" binary package that includes only scp1, ssh1, and ssh-keygen1 binaries; we do not ship any server-side SSHv1 support. I modelled this on Fedora's approach, which is basically the same aside from a slightly different package name. A number of our users are basically stuck needing to interoperate with SSHv1-only servers that they can't update for one reason or another. Obviously this is a pretty broken world, but maybe they're at least behind a VPN or firewalled to the local network or something and at any rate I'm rather glad that none of those things are directly my problem. My plan for Debian (and thus Ubuntu etc.) is therefore that, once SSHv1 is entirely removed from OpenSSH, I will split out the openssh-client-ssh1 binary package to be built from a separate source package which will remain frozen at the last OpenSSH release that supported SSHv1. As before, this will ship only scp1, ssh1, and ssh-keygen1 binaries. If I notice any fixes for client-side vulnerabilities that might affect SSHv1, then I'll backport them on a best-effort basis, but I expect this to be rare. The protocol is sufficiently broken anyway that I'm not going to lose much sleep over it. I've had it suggested to me that I should try to strip it down further (e.g. removing X forwarding capability), but on the whole I think the chances of accidentally breaking something as a result in something I don't myself use outweigh the expected benefits. Any comments on this? Feedback from the changes in 7.0 has convinced me that Debian does need to keep shipping basic client-side support in some form, but it can be very minimal and I'm happy to put whatever dire warnings on it seem useful and appropriate. Notwithstanding all this, the plan of removing all this obsolete code from OpenSSH proper makes a lot of sense to me and I have no complaints there. -- Colin Watson [cjwatson@xxxxxxxxxx] _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev