From Fedora Project Wiki
(initial proposal)
 
 
(8 intermediate revisions by 4 users not shown)
Line 53: Line 53:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1474942 #1474942]


== Detailed Description ==
== Detailed Description ==
Line 74: Line 74:
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engeneering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
* Release engineering: [https://pagure.io/releng/issues/6867 #6867] (a check of an impact with Release Engeneering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  include a link to the releng issue.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  include a link to the releng issue.  
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
Line 91: Line 90:
The new OpenSSH compat package should replace the old <code>openssh-clients-ssh1</code> (if implemented) to ensure upgrade path.
The new OpenSSH compat package should replace the old <code>openssh-clients-ssh1</code> (if implemented) to ensure upgrade path.
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== How To Test ==
== How To Test ==
Line 103: Line 99:
This package should not be available for install in Fedora 27:
This package should not be available for install in Fedora 27:


<pre># dnf isntall openssh-clients-ssh1
<pre># dnf install openssh-clients-ssh1
No package openssh-clients-ssh1 available.
No package openssh-clients-ssh1 available.
Error: Unable to find a match.</pre>
Error: Unable to find a match.</pre>
Line 120: Line 116:
3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
-->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== User Experience ==
== User Experience ==
Line 158: Line 151:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF27]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 16:19, 25 July 2017


Remove SSH-1 from OpenSSH clients

Summary

Upstream removes support for SSH-1 protocol and we plan to do the same in Fedora. The protocol is years obsolete and not even supported in current default binaries (only in openssh-clients-ssh1 subpackage).

Owner

  • Name: Jakub Jelen
  • Email: jjelen@redhat.com
  • Release notes owner:

Current status

Detailed Description

SSH-1 protocol was introduced more than 20 years ago and is no longer considered secure. OpenSSH package in Fedora is built without SSH-1 protocol since 2015 (SSH-1 clients are available in openssh-clients-ssh1 subpackage). OpenSSH upstream plans to remove the code completely in next release, which prevents us from using this technique further and remove the support completely (unless there will be significant demand for compat package).


Benefit to Fedora

Keep close to upstream, minimize the attack surface, decrease complexity of the code handling SSH connection and finally remove potentially insecure protocol from distribution.


Scope

  • Proposal owners: Remove subpackage openssh-clients-ssh1 and potentially create compat-openssh-clients-7.5 package with clients supporting SSH-1 protocol.


  • Other developers: N/A (not a System Wide Change)
  • Release engineering: #6867 (a check of an impact with Release Engeneering is needed)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

The new OpenSSH package should make sure the old openssh-clients-ssh1 will get removed during update. The new OpenSSH compat package should replace the old openssh-clients-ssh1 (if implemented) to ensure upgrade path.

How To Test

You can find out if you have clients with SSH1 protocol installed by running 

$ rpm -q openssh-clients-ssh1
package openssh-clients-ssh1 is not installed

This package should not be available for install in Fedora 27: 

# dnf install openssh-clients-ssh1
No package openssh-clients-ssh1 available.
Error: Unable to find a match.


User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Remove_SSH-1_from_OpenSSH&oldid=498200"