3 files changed, 16 insertions, 15 deletions
diff --git a/ssh.1 b/ssh.1
index 5b35b6cc0..42f71afaf 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.366 2015/11/15 22:26:49 jcs Exp $
+.\" $OpenBSD: ssh.1,v 1.367 2016/02/16 05:11:04 djm Exp $
-.Dd $Mdocdate: November 15 2015 $
+.Dd $Mdocdate: February 16 2016 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -795,15 +795,9 @@ or the
 and
 .Fl 2
 options (see above).
-Both protocols support similar authentication methods,
+Protocol 2 is the default.
-but protocol 2 is the default since
+Protocol 1 should not be used - it suffers from a number of cryptographic
-it provides additional mechanisms for confidentiality
+weaknesses and is only offered to support legacy devices.
-(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
-and integrity (hmac-md5, hmac-sha1,
-hmac-sha2-256, hmac-sha2-512,
-umac-64, umac-128, hmac-ripemd160).
-Protocol 1 lacks a strong mechanism for ensuring the
-integrity of the connection.
 .Pp
 The methods available for authentication are:
 GSSAPI-based authentication,
diff --git a/ssh_config.5 b/ssh_config.5
index 5b09547dd..c8ccfecb4 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.224 2016/02/11 02:56:32 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.225 2016/02/16 05:11:04 djm Exp $
-.Dd $Mdocdate: February 11 2016 $
+.Dd $Mdocdate: February 16 2016 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1270,6 +1270,9 @@ will try version 2 and fall back to version 1
 if version 2 is not available.
 The default is
 .Sq 2 .
+Protocol 1 suffers from a number of cryptographic weaknesses and should
+not be used.
+It is only offered to support legacy devices.
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
diff --git a/sshd_config.5 b/sshd_config.5
index fa5cff2fb..711a02524 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.217 2016/02/11 02:56:32 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.218 2016/02/16 05:11:04 djm Exp $
-.Dd $Mdocdate: February 11 2016 $
+.Dd $Mdocdate: February 16 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1342,6 +1342,10 @@ and
 Multiple versions must be comma-separated.
 The default is
 .Sq 2 .
+Protocol 1 suffers from a number of cryptographic weaknesses and should
+not be used.
+It is only offered to support legacy devices.
+.Pp
 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.

diff --git a/ssh.1 b/ssh.1 index 5b35b6cc0..42f71afaf 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.366 2015/11/15 22:26:49 jcs Exp $	36	.\" $OpenBSD: ssh.1,v 1.367 2016/02/16 05:11:04 djm Exp $
37	.Dd $Mdocdate: November 15 2015 $	37	.Dd $Mdocdate: February 16 2016 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -795,15 +795,9 @@ or the
795	and	795	and
796	.Fl 2	796	.Fl 2
797	options (see above).	797	options (see above).
798	Both protocols support similar authentication methods,	798	Protocol 2 is the default.
799	but protocol 2 is the default since	799	Protocol 1 should not be used - it suffers from a number of cryptographic
800	it provides additional mechanisms for confidentiality	800	weaknesses and is only offered to support legacy devices.
801	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
802	and integrity (hmac-md5, hmac-sha1,
803	hmac-sha2-256, hmac-sha2-512,
804	umac-64, umac-128, hmac-ripemd160).
805	Protocol 1 lacks a strong mechanism for ensuring the
806	integrity of the connection.
807	.Pp	801	.Pp
808	The methods available for authentication are:	802	The methods available for authentication are:
809	GSSAPI-based authentication,	803	GSSAPI-based authentication,


diff --git a/ssh_config.5 b/ssh_config.5 index 5b09547dd..c8ccfecb4 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.224 2016/02/11 02:56:32 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.225 2016/02/16 05:11:04 djm Exp $
37	.Dd $Mdocdate: February 11 2016 $	37	.Dd $Mdocdate: February 16 2016 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -1270,6 +1270,9 @@ will try version 2 and fall back to version 1
1270	if version 2 is not available.	1270	if version 2 is not available.
1271	The default is	1271	The default is
1272	.Sq 2 .	1272	.Sq 2 .
		1273	Protocol 1 suffers from a number of cryptographic weaknesses and should
		1274	not be used.
		1275	It is only offered to support legacy devices.
1273	.It Cm ProxyCommand	1276	.It Cm ProxyCommand
1274	Specifies the command to use to connect to the server.	1277	Specifies the command to use to connect to the server.
1275	The command	1278	The command


diff --git a/sshd_config.5 b/sshd_config.5 index fa5cff2fb..711a02524 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.217 2016/02/11 02:56:32 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.218 2016/02/16 05:11:04 djm Exp $
37	.Dd $Mdocdate: February 11 2016 $	37	.Dd $Mdocdate: February 16 2016 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -1342,6 +1342,10 @@ and
1342	Multiple versions must be comma-separated.	1342	Multiple versions must be comma-separated.
1343	The default is	1343	The default is
1344	.Sq 2 .	1344	.Sq 2 .
		1345	Protocol 1 suffers from a number of cryptographic weaknesses and should
		1346	not be used.
		1347	It is only offered to support legacy devices.
		1348	.Pp
1345	Note that the order of the protocol list does not indicate preference,	1349	Note that the order of the protocol list does not indicate preference,
1346	because the client selects among multiple protocol versions offered	1350	because the client selects among multiple protocol versions offered
1347	by the server.	1351	by the server.