From Fedora Project Wiki


Remove SSH-1 from OpenSSH clients

Summary

Upstream removes support for SSH-1 protocol and we plan to do the same in Fedora. The protocol is years obsolete and not even supported in current default binaries (only in openssh-clients-ssh1 subpackage).

Owner

  • Name: Jakub Jelen
  • Email: jjelen@redhat.com
  • Release notes owner:

Current status

Detailed Description

SSH-1 protocol was introduced more than 20 years ago and is no longer considered secure. OpenSSH package in Fedora is built without SSH-1 protocol since 2015 (SSH-1 clients are available in openssh-clients-ssh1 subpackage). OpenSSH upstream plans to remove the code completely in next release, which prevents us from using this technique further and remove the support completely (unless there will be significant demand for compat package).


Benefit to Fedora

Keep close to upstream, minimize the attack surface, decrease complexity of the code handling SSH connection and finally remove potentially insecure protocol from distribution.


Scope

  • Proposal owners: Remove subpackage openssh-clients-ssh1 and potentially create compat-openssh-clients-7.5 package with clients supporting SSH-1 protocol.


  • Other developers: N/A (not a System Wide Change)
  • Release engineering: #6867 (a check of an impact with Release Engeneering is needed)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

The new OpenSSH package should make sure the old openssh-clients-ssh1 will get removed during update. The new OpenSSH compat package should replace the old openssh-clients-ssh1 (if implemented) to ensure upgrade path.

How To Test

You can find out if you have clients with SSH1 protocol installed by running

$ rpm -q openssh-clients-ssh1
package openssh-clients-ssh1 is not installed

This package should not be available for install in Fedora 27:

# dnf install openssh-clients-ssh1
No package openssh-clients-ssh1 available.
Error: Unable to find a match.


User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes