< Changes
(initial proposal) |
No edit summary |
||
| Line 91: | Line 91: | ||
The new OpenSSH compat package should replace the old <code>openssh-clients-ssh1</code> (if implemented) to ensure upgrade path. | The new OpenSSH compat package should replace the old <code>openssh-clients-ssh1</code> (if implemented) to ensure upgrade path. | ||
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | <!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | ||
== How To Test == | == How To Test == | ||
| Line 103: | Line 100: | ||
This package should not be available for install in Fedora 27: | This package should not be available for install in Fedora 27: | ||
<pre># dnf | <pre># dnf install openssh-clients-ssh1 | ||
No package openssh-clients-ssh1 available. | No package openssh-clients-ssh1 available. | ||
Error: Unable to find a match.</pre> | Error: Unable to find a match.</pre> | ||
Revision as of 12:10, 27 June 2017
Remove SSH-1 from OpenSSH clients
Summary
Upstream removes support for SSH-1 protocol and we plan to do the same in Fedora. The protocol is years obsolete and not even supported in current default binaries (only in openssh-clients-ssh1 subpackage).
Owner
- Name: Jakub Jelen
- Email: jjelen@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 27
- Last updated: 2017-06-27
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
SSH-1 protocol was introduced more than 20 years ago and is no longer considered secure. OpenSSH package in Fedora is built without SSH-1 protocol since 2015 (SSH-1 clients are available in openssh-clients-ssh1 subpackage). OpenSSH upstream plans to remove the code completely in next release, which prevents us from using this technique further and remove the support completely (unless there will be significant demand for compat package).
Benefit to Fedora
Keep close to upstream, minimize the attack surface, decrease complexity of the code handling SSH connection and finally remove potentially insecure protocol from distribution.
Scope
- Proposal owners: Remove subpackage
openssh-clients-ssh1and potentially createcompat-openssh-clients-7.5package with clients supporting SSH-1 protocol.
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engeneering is needed)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
The new OpenSSH package should make sure the old openssh-clients-ssh1 will get removed during update.
The new OpenSSH compat package should replace the old openssh-clients-ssh1 (if implemented) to ensure upgrade path.
How To Test
You can find out if you have clients with SSH1 protocol installed by running
$ rpm -q openssh-clients-ssh1 package openssh-clients-ssh1 is not installed
This package should not be available for install in Fedora 27:
# dnf install openssh-clients-ssh1 No package openssh-clients-ssh1 available. Error: Unable to find a match.
N/A (not a System Wide Change)
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)