Remove SSH-1 from OpenSSH clients
Summary
Upstream removes support for SSH-1 protocol and we plan to do the same in Fedora. The protocol is years obsolete and not even supported in current default binaries (only in openssh-clients-ssh1
subpackage).
Owner
- Name: Jakub Jelen
- Email: jjelen@redhat.com
- Release notes owner:
Current status
Detailed Description
SSH-1 protocol was introduced more than 20 years ago and is no longer considered secure. OpenSSH package in Fedora is built without SSH-1 protocol since 2015 (SSH-1 clients are available in openssh-clients-ssh1
subpackage). OpenSSH upstream plans to remove the code completely in next release, which prevents us from using this technique further and remove the support completely (unless there will be significant demand for compat package).
Benefit to Fedora
Keep close to upstream, minimize the attack surface, decrease complexity of the code handling SSH connection and finally remove potentially insecure protocol from distribution.
Scope
- Proposal owners: Remove subpackage
openssh-clients-ssh1
and potentially createcompat-openssh-clients-7.5
package with clients supporting SSH-1 protocol.
- Other developers: N/A (not a System Wide Change)
- Release engineering: #6867 (a check of an impact with Release Engeneering is needed)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
The new OpenSSH package should make sure the old openssh-clients-ssh1
will get removed during update.
The new OpenSSH compat package should replace the old openssh-clients-ssh1
(if implemented) to ensure upgrade path.
How To Test
You can find out if you have clients with SSH1 protocol installed by running
$ rpm -q openssh-clients-ssh1 package openssh-clients-ssh1 is not installed
This package should not be available for install in Fedora 27:
# dnf install openssh-clients-ssh1 No package openssh-clients-ssh1 available. Error: Unable to find a match.
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)