Bug#846165: .../.ssh/config line 127: Bad protocol spec '1'.

2016-11-29 Thread Robert de Bath 

Reading back, I may have been a little unclear. It's probably because the
arrogance of the openssl people has always aggravated me. (For example the
"none" cipher where they, basically, said eveyone else is too stupid to
use it sensibily)

In this instance they have made the $HOME/.ssh/config file a common
configuration file between the ssh1 and openssh2 packages. But due to
an overly agressive error message it cannot actually be used safely by
both packages.

Safely would mean that if ssh1 is NOT installed ssh does not connect
to a host labeled as "Protocol 1". It does not mean that it sulks until
all hints of "Protocol 1" have been removed from the config file.

Safely means that if the "ssh1" package is installed it is ONLY used
for connections that are EXPLICITLY labeled as "Protocol 1" as the other
end may still support ssh1 or there may be a downgrade attack in progress.

My personal solution to this on another OS was to create a wrapper that
looked down two different config files for the two different versions. If
it found the remote host in one of them it used that particular version
of the connection tool. If it wasn't found the wrapper used the preferred
tool. I think I eventually put the older tool into a library directory
where it wasn't even on the path, it could only be used if I had actually
created an entry for it.

Of course, this used two independent configuration files.

BTW: This was a LONG time ago, it was actually between "ssh" and "rsh". As
you see the ssh people have a long history. I'm actually a bit surprised
that it's taken as long as it has for them to do something like this to
kill off V1, ... maybe they're getting better ... or maybe there's just
more people to shout at them now.

PS: Can the completely insecure ssh1 package have the "none" cipher
please. ;-)

--
Rob.  (Robert de Bath )

Bug#846165: .../.ssh/config line 127: Bad protocol spec '1'.

2016-11-29 Thread Robert de Bath 

That's exactly what I want to do, I have a session in the config file
for the ssh1 package.

The ssh2 package breaks when it sees it.

Now what I would think as a nice polite feature would be for the
application that has the '/usr/bin/ssh' name to call the right version
of ssh if it sees a 'bad' "protocol", "Cipher" or "Ciphers" line in an
active part of the .config file.

A poorer implementation would error if it's actually told to attempt
an ssh1 connection.

Throwing it's toys out of the pram when it's supposed to be ignoring a 
"Protocol 1" line is not what I would expect.


--
Rob.  (Robert de Bath )
 

On Mon, 28 Nov 2016, Russ Allbery wrote:


Robert de Bath  writes:


Package: ssh
Version: 1:7.3p1-3



This error occurs whatever I attempt to connect to, even though the
particular stanza of the config as nothing to do with the host I'm
connecting to. It is obviously inefficient and much too aggressive.



I obviously still have a use for v1 as there isn't an ssh v2 sufficiently
portable to install on the machine in question.


Per /usr/share/doc/openssh-client/NEWS.Debian.gz (which apt-listchanges
would show to you automatically):

openssh (1:7.1p1-2) unstable; urgency=medium

 OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
 cryptography.

  * Support for the legacy SSH version 1 protocol is disabled by default at
compile time.  Note that this also means that the Cipher keyword in
ssh_config(5) is effectively no longer usable; use Ciphers instead for
protocol 2.  The openssh-client-ssh1 package includes "ssh1", "scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in such cases and ask them to
upgrade.
[...]

--
Russ Allbery (r...@debian.org)

Bug#846165: .../.ssh/config line 127: Bad protocol spec '1'.

2016-11-28 Thread Russ Allbery 
Robert de Bath  writes:

> Package: ssh
> Version: 1:7.3p1-3

> This error occurs whatever I attempt to connect to, even though the
> particular stanza of the config as nothing to do with the host I'm
> connecting to. It is obviously inefficient and much too aggressive.

> I obviously still have a use for v1 as there isn't an ssh v2 sufficiently
> portable to install on the machine in question.

Per /usr/share/doc/openssh-client/NEWS.Debian.gz (which apt-listchanges
would show to you automatically):

openssh (1:7.1p1-2) unstable; urgency=medium

  OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
  cryptography.

   * Support for the legacy SSH version 1 protocol is disabled by default at
 compile time.  Note that this also means that the Cipher keyword in
 ssh_config(5) is effectively no longer usable; use Ciphers instead for
 protocol 2.  The openssh-client-ssh1 package includes "ssh1", "scp1",
 and "ssh-keygen1" binaries which you can use if you have no alternative
 way to connect to an outdated SSH1-only server; please contact the
 server administrator or system vendor in such cases and ask them to
 upgrade.
[...]

-- 
Russ Allbery (r...@debian.org)

Bug#846165: .../.ssh/config line 127: Bad protocol spec '1'.

2016-11-28 Thread Robert de Bath 

Package: ssh
Version: 1:7.3p1-3

This error occurs whatever I attempt to connect to, even though the 
particular stanza of the config as nothing to do with the host I'm

connecting to. It is obviously inefficient and much too aggressive.

I obviously still have a use for v1 as there isn't an ssh v2 
sufficiently portable to install on the machine in question.


This is the stanza at line 127.

# simh vax running Ultrix 4.5
Host ultrix
User robert
Port 2120
HostName 127.0.0.1
AddressFamily inet
HostKeyAlias=ultrix
Protocol 1
Cipher blowfish


--
Rob.  (Robert de Bath )