deprecated options in sshd_config

1,224 views
Skip to first unread message

mlrx

unread,
Feb 23, 2018, 6:17:29 AM2/23/18
to openssh-...@mindrot.org
Hello,

First, my apologies:
It's -practically- sure this ML is not the good place to, but I don't
find better for now.

I jumped from an OS to an other since few days. On the new one,
openssh comes in a much newer version (good thing): 7.6p1
sshd lets me know that there are two depreciated options:
- KeyRegenerationInterval
- UsePrivilegeSeparation

I search for a place where I can find information about deprecated
options and how to manage it.
The goal is to know if I need to replace or just erase these options.
I want to stay close to the art's state and have a good understanding
of changes.

I have setted sshd with a guideline now outdated :
https://www.ssi.gouv.fr/en/guide/openssh-secure-use-recommendations

Where I searched:
man sshd and sshd_config

https://www.openssh.com/releasenotes.html

UsePrivilegeSeparation = 12 occurences - not usefull for me
KeyRegenerationInterval = 0 ?
https://www.openssh.com/security.html
https://www.openssh.com/manual.html
duckduckgo is not really my friend this time…


Please, could somebody point me a path ?

Best regards and thanks for your amazing work.
--
benoist

--
benoist
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Colin Watson

unread,
Feb 23, 2018, 6:44:26 AM2/23/18
to openssh-...@mindrot.org
On Fri, Feb 23, 2018 at 11:46:31AM +0100, mlrx wrote:
> I jumped from an OS to an other since few days. On the new one,
> openssh comes in a much newer version (good thing): 7.6p1
> sshd lets me know that there are two depreciated options:
> - KeyRegenerationInterval
> - UsePrivilegeSeparation
>
> I search for a place where I can find information about deprecated
> options and how to manage it.

I can't give you a general answer other than reading git history, but
regarding your specific options:

* KeyRegenerationInterval was specific to SSH protocol 1, which you
almost certainly weren't using and in any case is no longer supported
in recent versions of OpenSSH.
* sshd now always behaves as if "UsePrivilegeSeparation sandbox" had
been set, and this is no longer configurable.

In both cases, you should just remove the options from sshd_config.5.

--
Colin Watson [cjwa...@debian.org]

mlrx

unread,
Feb 23, 2018, 8:48:05 AM2/23/18
to openssh-...@mindrot.org
Le 23/02/2018 à 12:42, Colin Watson a écrit :
> On Fri, Feb 23, 2018 at 11:46:31AM +0100, mlrx wrote:
>> I jumped from an OS to an other since few days. On the new one,
>> openssh comes in a much newer version (good thing): 7.6p1
>> sshd lets me know that there are two depreciated options:
>> - KeyRegenerationInterval
>> - UsePrivilegeSeparation
>>
>> I search for a place where I can find information about deprecated
>> options and how to manage it.
>
> I can't give you a general answer other than reading git history, but
> regarding your specific options:
>
> * KeyRegenerationInterval was specific to SSH protocol 1, which you
> almost certainly weren't using and in any case is no longer supported
> in recent versions of OpenSSH.
> * sshd now always behaves as if "UsePrivilegeSeparation sandbox" had
> been set, and this is no longer configurable.
>
> In both cases, you should just remove the options from sshd_config.5.

Hello,

Thank you for your fast answer.
May I infer that when an option is deprecated it can simply be deleted
and consider that it is a working rule of the dev team (and therefore
adopt this mode of operation for the future)?

Regards,
--
benoist

--
benoist

Colin Watson

unread,
Feb 23, 2018, 3:44:52 PM2/23/18
to openssh-...@mindrot.org
On Fri, Feb 23, 2018 at 02:45:55PM +0100, mlrx wrote:
> May I infer that when an option is deprecated it can simply be deleted
> and consider that it is a working rule of the dev team (and therefore
> adopt this mode of operation for the future)?

I'm not a member of the OpenSSH development team, only a packager and
occasional contributor, so you can't infer anything like that from my
message. It wouldn't surprise me if there've been some times when more
migration work is required.

--
Colin Watson [cjwa...@debian.org]

Darren Tucker

unread,
Feb 23, 2018, 5:16:12 PM2/23/18
to OpenSSH Devel List
On 24 February 2018 at 07:42, Colin Watson <cjwa...@debian.org> wrote:
> On Fri, Feb 23, 2018 at 02:45:55PM +0100, mlrx wrote:
>> May I infer that when an option is deprecated it can simply be deleted
>> and consider that it is a working rule of the dev team (and therefore
>> adopt this mode of operation for the future)?

Anything that the server (or client for that matter) reports as "line
N: FooOption option Deprecated" are no-ops and may safely be removed
from the config.

> I'm not a member of the OpenSSH development team, only a packager and
> occasional contributor, so you can't infer anything like that from my
> message. It wouldn't surprise me if there've been some times when more
> migration work is required.

Times where migration work is required are user-visible changes of
behaviour and documented in the release notes[0] for that release,
usually under "Potentially-incompatible changes". The specific
options in this thread (KeyRegenerationInterval[1])

7.6p1:

* ssh(1): delete SSH protocol version 1 support, associated
configuration options and documentation.

7.5p1:

* This release deprecates the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.

[0] https://www.openssh.com/releasenotes.html
[1] https://man.openbsd.org/OpenBSD-6.0/sshd_config.5#KeyRegenerationInterval

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

mlrx

unread,
Feb 24, 2018, 12:29:44 AM2/24/18
to openssh-...@mindrot.org
Le 23/02/2018 à 23:12, Darren Tucker a écrit :
> On 24 February 2018 at 07:42, Colin Watson <cjwa...@debian.org> wrote:
>> On Fri, Feb 23, 2018 at 02:45:55PM +0100, mlrx wrote:
>>> May I infer that when an option is deprecated it can simply be deleted
>>> and consider that it is a working rule of the dev team (and therefore
>>> adopt this mode of operation for the future)?
>
> Anything that the server (or client for that matter) reports as "line
> N: FooOption option Deprecated" are no-ops and may safely be removed
> from the config.
That's what I searched, perfect.

>> I'm not a member of the OpenSSH development team, only a packager and
>> occasional contributor, so you can't infer anything like that from my
>> message. It wouldn't surprise me if there've been some times when more
>> migration work is required.

@C.W.: Thank you!

> Times where migration work is required are user-visible changes of
> behaviour and documented in the release notes[0] for that release,
> usually under "Potentially-incompatible changes". The specific
> options in this thread (KeyRegenerationInterval[1])
>
> 7.6p1:
>
> * ssh(1): delete SSH protocol version 1 support, associated
> configuration options and documentation.
>
> 7.5p1:
>
> * This release deprecates the sshd_config UsePrivilegeSeparation
> option, thereby making privilege separation mandatory. Privilege
> separation has been on by default for almost 15 years and
> sandboxing has been on by default for almost the last five.
>
> [0] https://www.openssh.com/releasenotes.html
> [1] https://man.openbsd.org/OpenBSD-6.0/sshd_config.5#KeyRegenerationInterval

Thank you to !

Regards,
--
benoist

Reply all
Reply to author
Forward
0 new messages