upstream commit

since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129

1 files changed, 24 insertions, 42 deletions

diff --git a/ssh.1 b/ssh.1
index afc3537b0..cc5334338 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.368 2016/02/16 07:47:54 jmc Exp $
-.Dd $Mdocdate: February 16 2016 $
+.\" $OpenBSD: ssh.1,v 1.369 2016/02/17 07:38:19 jmc Exp $
+.Dd $Mdocdate: February 17 2016 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -402,17 +402,15 @@ in
 for details.
 .Pp
 .It Fl m Ar mac_spec
-Additionally, for protocol version 2 a comma-separated list of MAC
-(message authentication code) algorithms can
-be specified in order of preference.
+A comma-separated list of MAC (message authentication code) algorithms,
+specified in order of preference.
 See the
 .Cm MACs
 keyword for more information.
 .Pp
 .It Fl N
 Do not execute a remote command.
-This is useful for just forwarding ports
-(protocol version 2 only).
+This is useful for just forwarding ports.
 .Pp
 .It Fl n
 Redirects stdin from
@@ -664,8 +662,8 @@ for details.
 .Pp
 .It Fl s
 May be used to request invocation of a subsystem on the remote system.
-Subsystems are a feature of the SSH2 protocol which facilitate the use
-of SSH as a secure transport for other applications (eg.\&
+Subsystems facilitate the use of SSH
+as a secure transport for other applications (e.g.\&
 .Xr sftp 1 ) .
 The subsystem is specified as the remote command.
 .Pp
@@ -710,7 +708,6 @@ Implies
 .Cm ExitOnForwardFailure
 and
 .Cm ClearAllForwardings .
-Works with Protocol version 2 only.
 .Pp
 .It Fl w Xo
 .Ar local_tun Ns Op : Ns Ar remote_tun
@@ -795,8 +792,10 @@ or the
 and
 .Fl 2
 options (see above).
-Protocol 1 should not be used - it suffers from a number of cryptographic
-weaknesses and is only offered to support legacy devices.
+Protocol 1 should not be used
+and is only offered to support legacy devices.
+It suffers from a number of cryptographic weaknesses
+and doesn't support many of the advanced features available for protocol 2.
 .Pp
 The methods available for authentication are:
 GSSAPI-based authentication,
@@ -805,8 +804,9 @@ public key authentication,
 challenge-response authentication,
 and password authentication.
 Authentication methods are tried in the order specified above,
-though protocol 2 has a configuration option to change the default order:
-.Cm PreferredAuthentications .
+though
+.Cm PreferredAuthentications
+can be used to change the default order.
 .Pp
 Host-based authentication works as follows:
 If the machine the user logs in from is listed in
@@ -850,8 +850,6 @@ The server knows the public key, and only the user knows the private key.
 .Nm
 implements public key authentication protocol automatically,
 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
-Protocol 1 is restricted to using only RSA keys,
-but protocol 2 may use any.
 The HISTORY section of
 .Xr ssl 8
 contains a brief discussion of the DSA and RSA algorithms.
@@ -873,26 +871,26 @@ This stores the private key in
 .Pa ~/.ssh/identity
 (protocol 1),
 .Pa ~/.ssh/id_dsa
-(protocol 2 DSA),
+(DSA),
 .Pa ~/.ssh/id_ecdsa
-(protocol 2 ECDSA),
+(ECDSA),
 .Pa ~/.ssh/id_ed25519
-(protocol 2 Ed25519),
+(Ed25519),
 or
 .Pa ~/.ssh/id_rsa
-(protocol 2 RSA)
+(RSA)
 and stores the public key in
 .Pa ~/.ssh/identity.pub
 (protocol 1),
 .Pa ~/.ssh/id_dsa.pub
-(protocol 2 DSA),
+(DSA),
 .Pa ~/.ssh/id_ecdsa.pub
-(protocol 2 ECDSA),
+(ECDSA),
 .Pa ~/.ssh/id_ed25519.pub
-(protocol 2 Ed25519),
+(Ed25519),
 or
 .Pa ~/.ssh/id_rsa.pub
-(protocol 2 RSA)
+(RSA)
 in the user's home directory.
 The user should then copy the public key
 to
@@ -930,8 +928,6 @@ Challenge-response authentication works as follows:
 The server sends an arbitrary
 .Qq challenge
 text, and prompts for a response.
-Protocol 2 allows multiple challenges and responses;
-protocol 1 is restricted to just one challenge/response.
 Examples of challenge-response authentication include
 .Bx
 Authentication (see
@@ -1030,7 +1026,7 @@ at logout when waiting for forwarded connection / X11 sessions to terminate.
 Display a list of escape characters.
 .It Cm ~B
 Send a BREAK to the remote system
-(only useful for SSH protocol version 2 and if the peer supports it).
+(only useful if the peer supports it).
 .It Cm ~C
 Open command line.
 Currently this allows the addition of port forwardings using the
@@ -1063,7 +1059,7 @@ Basic help is available, using the
 option.
 .It Cm ~R
 Request rekeying of the connection
-(only useful for SSH protocol version 2 and if the peer supports it).
+(only useful if the peer supports it).
 .It Cm ~V
 Decrease the verbosity
 .Pq Ic LogLevel
@@ -1531,20 +1527,6 @@ The file format and configuration options are described in
 .It Pa /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys
 and are used for host-based authentication.
-If protocol version 1 is used,
-.Nm
-must be setuid root, since the host key is readable only by root.
-For protocol version 2,
-.Nm
-uses
-.Xr ssh-keysign 8
-to access the host keys,
-eliminating the requirement that
-.Nm
-be setuid root when host-based authentication is used.
-By default
-.Nm
-is not setuid root.
 .Pp
 .It Pa /etc/ssh/ssh_known_hosts
 Systemwide list of known host keys.