upstream commit

Catch up with the SSH1 code removal and delete all mention of protocol 1 particularities, key files and formats, command line options, and configuration keywords from the server documentation and examples. ok jmc@ Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
author: naddy@openbsd.org <naddy@openbsd.org> 2016-08-15 12:32:04 +0000
committer: Damien Miller <djm@mindrot.org> 2016-08-23 13:28:30 +1000
commit: ffe6549c2f7a999cc5264b873a60322e91862581 (patch)
tree: 4a20d7e5c88fb528ad914fbabe76e6890069cc61 /sshd_config.5
parent: c38ea634893a1975dbbec798fb968c9488013f4a (diff)
1 files changed, 4 insertions, 68 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index b70c31307..d1a5d1d33 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.228 2016/08/12 19:19:04 jca Exp $
+.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $
-.Dd $Mdocdate: August 12 2016 $
+.Dd $Mdocdate: August 15 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -230,8 +230,6 @@ of
 .Dq publickey,publickey
 will require successful authentication using two different public keys.
 .Pp
-This option will yield a fatal
-error if enabled if protocol 1 is also enabled.
 Note that each authentication method listed should also be explicitly enabled
 in the configuration.
 The default
@@ -709,15 +707,12 @@ is not to load any certificates.
 .It Cm HostKey
 Specifies a file containing a private host key
 used by SSH.
-The default is
+The defaults are
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
 .Pa /etc/ssh/ssh_host_dsa_key ,
 .Pa /etc/ssh/ssh_host_ecdsa_key ,
 .Pa /etc/ssh/ssh_host_ed25519_key
 and
-.Pa /etc/ssh/ssh_host_rsa_key
+.Pa /etc/ssh/ssh_host_rsa_key .
-for protocol version 2.
 .Pp
 Note that
 .Xr sshd 8
@@ -728,14 +723,6 @@ option restricts which of the keys are actually used by
 .Xr sshd 8 .
 .Pp
 It is possible to have multiple host key files.
-.Dq rsa1
-keys are used for version 1 and
-.Dq dsa ,
-.Dq ecdsa ,
-.Dq ed25519
-or
-.Dq rsa
-are used for version 2 of the SSH protocol.
 It is also possible to specify public host key files instead.
 In this case operations on the private key will be delegated
 to an
@@ -774,8 +761,6 @@ Specifies that
 and
 .Pa .shosts
 files will not be used in
-.Cm RhostsRSAAuthentication
-or
 .Cm HostbasedAuthentication .
 .Pp
 .Pa /etc/hosts.equiv
@@ -790,8 +775,6 @@ Specifies whether
 should ignore the user's
 .Pa ~/.ssh/known_hosts
 during
-.Cm RhostsRSAAuthentication
-or
 .Cm HostbasedAuthentication .
 The default is
 .Dq no .
@@ -910,15 +893,6 @@ option of
 .Xr ssh 1
 with an argument of
 .Dq kex .
-.It Cm KeyRegenerationInterval
-In protocol version 1, the ephemeral server key is automatically regenerated
-after this many seconds (if it has been used).
-The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.
-The key is never stored anywhere.
-If the value is 0, the key is never regenerated.
-The default is 3600 (seconds).
 .It Cm ListenAddress
 Specifies the local addresses
 .Xr sshd 8
@@ -1127,8 +1101,6 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
-.Cm RhostsRSAAuthentication ,
-.Cm RSAAuthentication ,
 .Cm StreamLocalBindMask ,
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
@@ -1333,28 +1305,6 @@ when a user logs in interactively.
 or equivalent.)
 The default is
 .Dq yes .
-.It Cm Protocol
-Specifies the protocol versions
-.Xr sshd 8
-supports.
-The possible values are
-.Sq 1
-and
-.Sq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Sq 2 .
-Protocol 1 suffers from a number of cryptographic weaknesses and should
-not be used.
-It is only offered to support legacy devices.
-.Pp
-Note that the order of the protocol list does not indicate preference,
-because the client selects among multiple protocol versions offered
-by the server.
-Specifying
-.Dq 2,1
-is identical to
-.Dq 1,2 .
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
 as a comma-separated pattern list.
@@ -1419,20 +1369,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
-.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm RSAAuthentication
-Specifies whether pure RSA authentication is allowed.
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm ServerKeyBits
-Defines the number of bits in the ephemeral protocol version 1 server key.
-The default and minimum value is 1024.
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
author	naddy@openbsd.org <naddy@openbsd.org>	2016-08-15 12:32:04 +0000
committer	Damien Miller <djm@mindrot.org>	2016-08-23 13:28:30 +1000
commit	ffe6549c2f7a999cc5264b873a60322e91862581 (patch)
tree	4a20d7e5c88fb528ad914fbabe76e6890069cc61 /sshd_config.5
parent	c38ea634893a1975dbbec798fb968c9488013f4a (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index b70c31307..d1a5d1d33 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.228 2016/08/12 19:19:04 jca Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $
37	.Dd $Mdocdate: August 12 2016 $	37	.Dd $Mdocdate: August 15 2016 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -230,8 +230,6 @@ of
230	.Dq publickey,publickey	230	.Dq publickey,publickey
231	will require successful authentication using two different public keys.	231	will require successful authentication using two different public keys.
232	.Pp	232	.Pp
233	This option will yield a fatal
234	error if enabled if protocol 1 is also enabled.
235	Note that each authentication method listed should also be explicitly enabled	233	Note that each authentication method listed should also be explicitly enabled
236	in the configuration.	234	in the configuration.
237	The default	235	The default
@@ -709,15 +707,12 @@ is not to load any certificates.
709	.It Cm HostKey	707	.It Cm HostKey
710	Specifies a file containing a private host key	708	Specifies a file containing a private host key
711	used by SSH.	709	used by SSH.
712	The default is	710	The defaults are
713	.Pa /etc/ssh/ssh_host_key
714	for protocol version 1, and
715	.Pa /etc/ssh/ssh_host_dsa_key ,	711	.Pa /etc/ssh/ssh_host_dsa_key ,
716	.Pa /etc/ssh/ssh_host_ecdsa_key ,	712	.Pa /etc/ssh/ssh_host_ecdsa_key ,
717	.Pa /etc/ssh/ssh_host_ed25519_key	713	.Pa /etc/ssh/ssh_host_ed25519_key
718	and	714	and
719	.Pa /etc/ssh/ssh_host_rsa_key	715	.Pa /etc/ssh/ssh_host_rsa_key .
720	for protocol version 2.
721	.Pp	716	.Pp
722	Note that	717	Note that
723	.Xr sshd 8	718	.Xr sshd 8
@@ -728,14 +723,6 @@ option restricts which of the keys are actually used by
728	.Xr sshd 8 .	723	.Xr sshd 8 .
729	.Pp	724	.Pp
730	It is possible to have multiple host key files.	725	It is possible to have multiple host key files.
731	.Dq rsa1
732	keys are used for version 1 and
733	.Dq dsa ,
734	.Dq ecdsa ,
735	.Dq ed25519
736	or
737	.Dq rsa
738	are used for version 2 of the SSH protocol.
739	It is also possible to specify public host key files instead.	726	It is also possible to specify public host key files instead.
740	In this case operations on the private key will be delegated	727	In this case operations on the private key will be delegated
741	to an	728	to an
@@ -774,8 +761,6 @@ Specifies that
774	and	761	and
775	.Pa .shosts	762	.Pa .shosts
776	files will not be used in	763	files will not be used in
777	.Cm RhostsRSAAuthentication
778	or
779	.Cm HostbasedAuthentication .	764	.Cm HostbasedAuthentication .
780	.Pp	765	.Pp
781	.Pa /etc/hosts.equiv	766	.Pa /etc/hosts.equiv
@@ -790,8 +775,6 @@ Specifies whether
790	should ignore the user's	775	should ignore the user's
791	.Pa ~/.ssh/known_hosts	776	.Pa ~/.ssh/known_hosts
792	during	777	during
793	.Cm RhostsRSAAuthentication
794	or
795	.Cm HostbasedAuthentication .	778	.Cm HostbasedAuthentication .
796	The default is	779	The default is
797	.Dq no .	780	.Dq no .
@@ -910,15 +893,6 @@ option of
910	.Xr ssh 1	893	.Xr ssh 1
911	with an argument of	894	with an argument of
912	.Dq kex .	895	.Dq kex .
913	.It Cm KeyRegenerationInterval
914	In protocol version 1, the ephemeral server key is automatically regenerated
915	after this many seconds (if it has been used).
916	The purpose of regeneration is to prevent
917	decrypting captured sessions by later breaking into the machine and
918	stealing the keys.
919	The key is never stored anywhere.
920	If the value is 0, the key is never regenerated.
921	The default is 3600 (seconds).
922	.It Cm ListenAddress	896	.It Cm ListenAddress
923	Specifies the local addresses	897	Specifies the local addresses
924	.Xr sshd 8	898	.Xr sshd 8
@@ -1127,8 +1101,6 @@ Available keywords are
1127	.Cm PubkeyAuthentication ,	1101	.Cm PubkeyAuthentication ,
1128	.Cm RekeyLimit ,	1102	.Cm RekeyLimit ,
1129	.Cm RevokedKeys ,	1103	.Cm RevokedKeys ,
1130	.Cm RhostsRSAAuthentication ,
1131	.Cm RSAAuthentication ,
1132	.Cm StreamLocalBindMask ,	1104	.Cm StreamLocalBindMask ,
1133	.Cm StreamLocalBindUnlink ,	1105	.Cm StreamLocalBindUnlink ,
1134	.Cm TrustedUserCAKeys ,	1106	.Cm TrustedUserCAKeys ,
@@ -1333,28 +1305,6 @@ when a user logs in interactively.
1333	or equivalent.)	1305	or equivalent.)
1334	The default is	1306	The default is
1335	.Dq yes .	1307	.Dq yes .
1336	.It Cm Protocol
1337	Specifies the protocol versions
1338	.Xr sshd 8
1339	supports.
1340	The possible values are
1341	.Sq 1
1342	and
1343	.Sq 2 .
1344	Multiple versions must be comma-separated.
1345	The default is
1346	.Sq 2 .
1347	Protocol 1 suffers from a number of cryptographic weaknesses and should
1348	not be used.
1349	It is only offered to support legacy devices.
1350	.Pp
1351	Note that the order of the protocol list does not indicate preference,
1352	because the client selects among multiple protocol versions offered
1353	by the server.
1354	Specifying
1355	.Dq 2,1
1356	is identical to
1357	.Dq 1,2 .
1358	.It Cm PubkeyAcceptedKeyTypes	1308	.It Cm PubkeyAcceptedKeyTypes
1359	Specifies the key types that will be accepted for public key authentication	1309	Specifies the key types that will be accepted for public key authentication
1360	as a comma-separated pattern list.	1310	as a comma-separated pattern list.
@@ -1419,20 +1369,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
1419	.Xr ssh-keygen 1 .	1369	.Xr ssh-keygen 1 .
1420	For more information on KRLs, see the KEY REVOCATION LISTS section in	1370	For more information on KRLs, see the KEY REVOCATION LISTS section in
1421	.Xr ssh-keygen 1 .	1371	.Xr ssh-keygen 1 .
1422	.It Cm RhostsRSAAuthentication
1423	Specifies whether rhosts or /etc/hosts.equiv authentication together
1424	with successful RSA host authentication is allowed.
1425	The default is
1426	.Dq no .
1427	This option applies to protocol version 1 only.
1428	.It Cm RSAAuthentication
1429	Specifies whether pure RSA authentication is allowed.
1430	The default is
1431	.Dq yes .
1432	This option applies to protocol version 1 only.
1433	.It Cm ServerKeyBits
1434	Defines the number of bits in the ephemeral protocol version 1 server key.
1435	The default and minimum value is 1024.
1436	.It Cm StreamLocalBindMask	1372	.It Cm StreamLocalBindMask
1437	Sets the octal file creation mode mask	1373	Sets the octal file creation mode mask
1438	.Pq umask	1374	.Pq umask