On Tue, 3 May 2016, Colin Watson wrote: > Debian takes the latter approach. Specifically, we have an > "openssh-client-ssh1" binary package that includes only scp1, ssh1, and > ssh-keygen1 binaries; we do not ship any server-side SSHv1 support. I > modelled this on Fedora's approach, which is basically the same aside > from a slightly different package name. > > A number of our users are basically stuck needing to interoperate with > SSHv1-only servers that they can't update for one reason or another. > Obviously this is a pretty broken world, but maybe they're at least > behind a VPN or firewalled to the local network or something and at any > rate I'm rather glad that none of those things are directly my problem. > > My plan for Debian (and thus Ubuntu etc.) is therefore that, once SSHv1 > is entirely removed from OpenSSH, I will split out the > openssh-client-ssh1 binary package to be built from a separate source > package which will remain frozen at the last OpenSSH release that > supported SSHv1. As before, this will ship only scp1, ssh1, and > ssh-keygen1 binaries. > > If I notice any fixes for client-side vulnerabilities that might affect > SSHv1, then I'll backport them on a best-effort basis, but I expect this > to be rare. The protocol is sufficiently broken anyway that I'm not > going to lose much sleep over it. I've had it suggested to me that I > should try to strip it down further (e.g. removing X forwarding > capability), but on the whole I think the chances of accidentally > breaking something as a result in something I don't myself use outweigh > the expected benefits. > > Any comments on this? Feedback from the changes in 7.0 has convinced me > that Debian does need to keep shipping basic client-side support in some > form, but it can be very minimal and I'm happy to put whatever dire > warnings on it seem useful and appropriate. > > Notwithstanding all this, the plan of removing all this obsolete code > from OpenSSH proper makes a lot of sense to me and I have no complaints > there. Your plan sounds emminently reasonable and I'll repeat my thanks for your helping the transition by making separate -ssh1 packages. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev