diff --git a/ChangeLog b/ChangeLog index 23bc18b6772ba040a38982f1a8003e93fa25098f..495c0968c0456a756dc8ec8a77b3b242de0b8934 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt + - jmc@cvs.openbsd.org 2009/10/08 20:42:12 + [sshd_config.5 ssh_config.5 sshd.8 ssh.1] + some tweaks now that protocol 1 is not offered by default; ok markus 20091007 - (dtucker) OpenBSD CVS Sync diff --git a/ssh.1 b/ssh.1 index 6c6271ee4f74dc6a109b466ea513f224a4da7251..8c3d32aaf41153b688c68fa69d45d21fe2bb7f65 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $ -.Dd $Mdocdate: March 19 2009 $ +.\" $OpenBSD: ssh.1,v 1.284 2009/10/08 20:42:12 jmc Exp $ +.Dd $Mdocdate: October 8 2009 $ .Dt SSH 1 .Os .Sh NAME @@ -666,20 +666,18 @@ exits with the exit status of the remote command or with 255 if an error occurred. .Sh AUTHENTICATION The OpenSSH SSH client supports SSH protocols 1 and 2. -Protocol 2 is the default, with -.Nm -falling back to protocol 1 if it detects protocol 2 is unsupported. -These settings may be altered using the +The default is to use protocol 2 only, +though this can be changed via the .Cm Protocol option in -.Xr ssh_config 5 , -or enforced using the +.Xr ssh_config 5 +or the .Fl 1 and .Fl 2 options (see above). Both protocols support similar authentication methods, -but protocol 2 is preferred since +but protocol 2 is the default since it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). diff --git a/ssh_config.5 b/ssh_config.5 index 82c2a30b0cd5ee29ed9a21b7bcf60e23d8d39054..89f3896e6cdf3d4203b9a6fdcf7dbb6dd6b24140 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.120 2009/10/08 14:03:41 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.121 2009/10/08 20:42:13 jmc Exp $ .Dd $Mdocdate: October 8 2009 $ .Dt SSH_CONFIG 5 .Os @@ -731,12 +731,12 @@ and .Sq 2 . Multiple versions must be comma-separated. When this option is set to -.Dq 2,1 +.Dq 2,1 .Nm ssh will try version 2 and fall back to version 1 if version 2 is not available. The default is -.Dq 2 . +.Sq 2 . .It Cm ProxyCommand Specifies the command to use to connect to the server. The command diff --git a/sshd.8 b/sshd.8 index 111d491d9a71fb0a07a0ceefa7d105cddb3e8fc6..7878d9f06bf856dae00349d5d034f301a2362ddb 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.248 2009/03/26 08:38:39 sobrado Exp $ -.Dd $Mdocdate: March 26 2009 $ +.\" $OpenBSD: sshd.8,v 1.249 2009/10/08 20:42:13 jmc Exp $ +.Dd $Mdocdate: October 8 2009 $ .Dt SSHD 8 .Os .Sh NAME @@ -260,7 +260,7 @@ or .El .Sh AUTHENTICATION The OpenSSH SSH daemon supports SSH protocols 1 and 2. -Both protocols are supported by default, +The default is to use protocol 2 only, though this can be changed via the .Cm Protocol option in diff --git a/sshd_config.5 b/sshd_config.5 index 00ac82a34e58f11b9ac25ab05ee8be701a599b35..4b3793d131aa3540c265b206852f36fc2fc8c96b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.108 2009/10/08 14:03:41 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.109 2009/10/08 20:42:13 jmc Exp $ .Dd $Mdocdate: October 8 2009 $ .Dt SSHD_CONFIG 5 .Os @@ -793,7 +793,7 @@ and .Sq 2 . Multiple versions must be comma-separated. The default is -.Dq 2 . +.Sq 2 . Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server.