Re: sshd: Remove authorized_keys2 file
Bump: Feeback? OK?
On Mon, Apr 17, 2017 at 09:28:29PM +0200, Klemens Nanni wrote:
Now that protocol version 1 was finally dropped in sshd(8), get rid of
this file completely. Our default sshd_config(5) overwrites
AuthorizedKeysFile to ignore it anyway and sshd(8)'s FILES section
doesn't mention it either.
Index: etc/changelist
===
RCS file: /cvs/src/etc/changelist,v
retrieving revision 1.116
diff -u -p -r1.116 changelist
--- etc/changelist 27 Feb 2017 21:53:11 - 1.116
+++ etc/changelist 17 Apr 2017 19:26:47 -
@@ -147,7 +147,6 @@
/root/.rhosts
/root/.shosts
/root/.ssh/authorized_keys
-/root/.ssh/authorized_keys2
/var/cron/at.allow
/var/cron/at.deny
/var/cron/cron.allow
Index: usr.bin/ssh/pathnames.h
===
RCS file: /cvs/src/usr.bin/ssh/pathnames.h,v
retrieving revision 1.25
diff -u -p -r1.25 pathnames.h
--- usr.bin/ssh/pathnames.h 31 Mar 2016 05:24:06 - 1.25
+++ usr.bin/ssh/pathnames.h 17 Apr 2017 19:26:47 -
@@ -79,7 +79,7 @@
#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config"
/*
- * File containing a list of those rsa keys that permit logging in as this
+ * File containing a list of those keys that permit logging in as this
* user. This file need not be readable by anyone but the user him/herself,
* but does not contain anything particularly secret. If the user's home
* directory resides on an NFS volume where root is mapped to nobody, this
@@ -87,9 +87,6 @@
* running as root.)
*/
#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys"
-
-/* backward compat for protocol v2 */
-#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2"
/*
* Per-user and system-wide ssh "rc" files. These files are executed with
Index: usr.bin/ssh/servconf.c
===
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.306
diff -u -p -r1.306 servconf.c
--- usr.bin/ssh/servconf.c 14 Mar 2017 07:19:07 - 1.306
+++ usr.bin/ssh/servconf.c 17 Apr 2017 19:26:47 -
@@ -294,12 +294,9 @@ fill_default_server_options(ServerOption
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
options->client_alive_count_max = 3;
- if (options->num_authkeys_files == 0) {
+ if (options->num_authkeys_files == 0)
options->authorized_keys_files[options->num_authkeys_files++] =
xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
- options->authorized_keys_files[options->num_authkeys_files++] =
- xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
- }
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
Index: usr.bin/ssh/sshd.8
===
RCS file: /cvs/src/usr.bin/ssh/sshd.8,v
retrieving revision 1.288
diff -u -p -r1.288 sshd.8
--- usr.bin/ssh/sshd.8 30 Jan 2017 23:27:39 - 1.288
+++ usr.bin/ssh/sshd.8 17 Apr 2017 19:26:47 -
@@ -390,9 +390,7 @@ does not exist either, xauth is used to
specifies the files containing public keys for
public key authentication;
if this option is not specified, the default is
-.Pa ~/.ssh/authorized_keys
-and
-.Pa ~/.ssh/authorized_keys2 .
+.Pa ~/.ssh/authorized_keys .
Each line of the file contains one
key (empty lines and lines starting with a
.Ql #
Index: usr.bin/ssh/sshd_config
===
RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
retrieving revision 1.101
diff -u -p -r1.101 sshd_config
--- usr.bin/ssh/sshd_config 14 Mar 2017 07:19:07 - 1.101
+++ usr.bin/ssh/sshd_config 17 Apr 2017 19:26:47 -
@@ -35,9 +35,7 @@
#PubkeyAuthentication yes
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysFile.ssh/authorized_keys
#AuthorizedPrincipalsFile none
Index: usr.bin/ssh/sshd_config.5
===
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.243
diff -u -p -r1.243 sshd_config.5
--- usr.bin/ssh/sshd_config.5 14 Mar 2017 07:19:07 - 1.243
+++ usr.bin/ssh/sshd_config.5 17 Apr 2017 19:26:47 -
@@ -283,7 +283,7 @@ Alternately this option may be set to
.Cm none
to skip checking for user keys in files.
The default is
-.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
+.Qq .ssh/authorized_keys .
.It Cm AuthorizedPrincipalsCommand
Specifies a program to be used to generate the list of allowed
certificate principals as per
sshd: Remove authorized_keys2 file
Now that protocol version 1 was finally dropped in sshd(8), get rid of
this file completely. Our default sshd_config(5) overwrites
AuthorizedKeysFile to ignore it anyway and sshd(8)'s FILES section
doesn't mention it either.
Index: etc/changelist
===
RCS file: /cvs/src/etc/changelist,v
retrieving revision 1.116
diff -u -p -r1.116 changelist
--- etc/changelist 27 Feb 2017 21:53:11 - 1.116
+++ etc/changelist 17 Apr 2017 19:26:47 -
@@ -147,7 +147,6 @@
/root/.rhosts
/root/.shosts
/root/.ssh/authorized_keys
-/root/.ssh/authorized_keys2
/var/cron/at.allow
/var/cron/at.deny
/var/cron/cron.allow
Index: usr.bin/ssh/pathnames.h
===
RCS file: /cvs/src/usr.bin/ssh/pathnames.h,v
retrieving revision 1.25
diff -u -p -r1.25 pathnames.h
--- usr.bin/ssh/pathnames.h 31 Mar 2016 05:24:06 - 1.25
+++ usr.bin/ssh/pathnames.h 17 Apr 2017 19:26:47 -
@@ -79,7 +79,7 @@
#define _PATH_SSH_USER_CONFFILE_PATH_SSH_USER_DIR "/config"
/*
- * File containing a list of those rsa keys that permit logging in as this
+ * File containing a list of those keys that permit logging in as this
* user. This file need not be readable by anyone but the user him/herself,
* but does not contain anything particularly secret. If the user's home
* directory resides on an NFS volume where root is mapped to nobody, this
@@ -87,9 +87,6 @@
* running as root.)
*/
#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys"
-
-/* backward compat for protocol v2 */
-#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2"
/*
* Per-user and system-wide ssh "rc" files. These files are executed with
Index: usr.bin/ssh/servconf.c
===
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.306
diff -u -p -r1.306 servconf.c
--- usr.bin/ssh/servconf.c 14 Mar 2017 07:19:07 - 1.306
+++ usr.bin/ssh/servconf.c 17 Apr 2017 19:26:47 -
@@ -294,12 +294,9 @@ fill_default_server_options(ServerOption
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
options->client_alive_count_max = 3;
- if (options->num_authkeys_files == 0) {
+ if (options->num_authkeys_files == 0)
options->authorized_keys_files[options->num_authkeys_files++] =
xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
- options->authorized_keys_files[options->num_authkeys_files++] =
- xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
- }
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
Index: usr.bin/ssh/sshd.8
===
RCS file: /cvs/src/usr.bin/ssh/sshd.8,v
retrieving revision 1.288
diff -u -p -r1.288 sshd.8
--- usr.bin/ssh/sshd.8 30 Jan 2017 23:27:39 - 1.288
+++ usr.bin/ssh/sshd.8 17 Apr 2017 19:26:47 -
@@ -390,9 +390,7 @@ does not exist either, xauth is used to
specifies the files containing public keys for
public key authentication;
if this option is not specified, the default is
-.Pa ~/.ssh/authorized_keys
-and
-.Pa ~/.ssh/authorized_keys2 .
+.Pa ~/.ssh/authorized_keys .
Each line of the file contains one
key (empty lines and lines starting with a
.Ql #
Index: usr.bin/ssh/sshd_config
===
RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
retrieving revision 1.101
diff -u -p -r1.101 sshd_config
--- usr.bin/ssh/sshd_config 14 Mar 2017 07:19:07 - 1.101
+++ usr.bin/ssh/sshd_config 17 Apr 2017 19:26:47 -
@@ -35,9 +35,7 @@
#PubkeyAuthentication yes
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysFile.ssh/authorized_keys
#AuthorizedPrincipalsFile none
Index: usr.bin/ssh/sshd_config.5
===
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.243
diff -u -p -r1.243 sshd_config.5
--- usr.bin/ssh/sshd_config.5 14 Mar 2017 07:19:07 - 1.243
+++ usr.bin/ssh/sshd_config.5 17 Apr 2017 19:26:47 -
@@ -283,7 +283,7 @@ Alternately this option may be set to
.Cm none
to skip checking for user keys in files.
The default is
-.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
+.Qq .ssh/authorized_keys .
.It Cm AuthorizedPrincipalsCommand
Specifies a program to be used to generate the list of allowed
certificate principals as per
