From Fedora Project Wiki
(and ... we are finally ready)
 
(6 intermediate revisions by 3 users not shown)
Line 53: Line 53:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1474942 #1474942]


== Detailed Description ==
== Detailed Description ==
Line 74: Line 74:
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engeneering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
* Release engineering: [https://pagure.io/releng/issues/6867 #6867] (a check of an impact with Release Engeneering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  include a link to the releng issue.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  include a link to the releng issue.  
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
Line 152: Line 151:
-->
-->


[[Category:ChangeReadyForWrangler]]
[[Category:ChangeAcceptedF27]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 16:19, 25 July 2017


Remove SSH-1 from OpenSSH clients

Summary

Upstream removes support for SSH-1 protocol and we plan to do the same in Fedora. The protocol is years obsolete and not even supported in current default binaries (only in openssh-clients-ssh1 subpackage).

Owner

  • Name: Jakub Jelen
  • Email: jjelen@redhat.com
  • Release notes owner:

Current status

Detailed Description

SSH-1 protocol was introduced more than 20 years ago and is no longer considered secure. OpenSSH package in Fedora is built without SSH-1 protocol since 2015 (SSH-1 clients are available in openssh-clients-ssh1 subpackage). OpenSSH upstream plans to remove the code completely in next release, which prevents us from using this technique further and remove the support completely (unless there will be significant demand for compat package).


Benefit to Fedora

Keep close to upstream, minimize the attack surface, decrease complexity of the code handling SSH connection and finally remove potentially insecure protocol from distribution.


Scope

  • Proposal owners: Remove subpackage openssh-clients-ssh1 and potentially create compat-openssh-clients-7.5 package with clients supporting SSH-1 protocol.


  • Other developers: N/A (not a System Wide Change)
  • Release engineering: #6867 (a check of an impact with Release Engeneering is needed)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

The new OpenSSH package should make sure the old openssh-clients-ssh1 will get removed during update. The new OpenSSH compat package should replace the old openssh-clients-ssh1 (if implemented) to ensure upgrade path.

How To Test

You can find out if you have clients with SSH1 protocol installed by running 

$ rpm -q openssh-clients-ssh1
package openssh-clients-ssh1 is not installed

This package should not be available for install in Fedora 27: 

# dnf install openssh-clients-ssh1
No package openssh-clients-ssh1 available.
Error: Unable to find a match.


User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Remove_SSH-1_from_OpenSSH&oldid=498200"