Welcome! Log In Create A New Profile

Advanced

OpenSSH 7.0 Potentially Incompatible Changes

Posted by bodhi 
OpenSSH 7.0 Potentially Incompatible Changes
August 16, 2015 04:49PM
FYI,

Beware that apt-get dist-upgrade on your rootfs could lock you out from root login through SSH (if you don't have a normal user account to log in through SSH, or if you don't have a serial connection).

Quote

Potentially-incompatible Changes
--------------------------------

* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.

* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html

* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html

* Support for the legacy v00 cert format has been removed.

* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".

* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).

http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: OpenSSH 7.0 Potentially Incompatible Changes
August 16, 2015 11:07PM
Good to know. Thanks, bodhi.

I suppose these changes balance the need for enhanced security against the advantages of bullet-proof interoperability, but I have always found it refreshing that the SSH package "just worked". It was intuitive and seemed to have minimal "gotchas" and hoops to jump through to make it work. Guess that changes somewhat with OpenSSH 7.0

BTW, who uses 7.0? Jessie? I'm on Wheezy 7.8 and note that SSH is still version 6.0.
Re: OpenSSH 7.0 Potentially Incompatible Changes
August 17, 2015 02:10AM
Hi restamp,

Looks like it has got to jessie.

Update: perhaps I've misread the version number. If you install and it ask you for confirmation then I think that was it. I said no to this option, but I believe seeing it as default.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 2 time(s). Last edit at 08/17/2015 02:58AM by bodhi.
Author:

Your Email:


Subject:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: