ssh on 11.2

Shane Ambler FreeBSD at ShaneWare.Biz
Sat Jul 14 04:42:16 UTC 2018 

On 14/07/2018 02:14, doug wrote:
> 
> On Fri, 13 Jul 2018, Doug McIntyre wrote:
> 
>> On Thu, Jul 12, 2018 at 05:17:25PM -0400, doug wrote:
>>> After going to 11.2 from 11.1 authorized_keys2 MUST be renamed to
>>> authorized_keys. I spent a bit of time checking permissions and keys
>>> before
>>> comparing /etc/ssh/sshd_config. This might be implied in some of the
>>> Open-ssh
>>> errata but not so I got it. A note in UPDATING might be nice, or did
>>> I just miss
>>> this?
>>
>> Wow, you had an authorized_keys2 file? That was deprecated in OpenSSH 3.0
>> https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2
>>
>> Your setup must have been copied along for quite some time.
>>
>> My guess is that OpenSSH finally removed support of it (although I'd
>> have guessed the support would have been removed long ago), as part
>> of the general cleanup. The changeover happened eons ago, so they
>> probably figured nobody had that version any longer.
>>
> Thanks for the info. Yea one of my keys is from the previous millennium.
> But my point remains. So you peaked my curiosity. FreeBSD takes no note
> of this as far as I can find. https://www.openssh.com/releasenotes.html
> covers OpenSSH 7.7/7.7p1 (2018-04-02)  to openSSH 1.2.3p1 (2000-03-24).
> And indeed OpenSSH 5.9/5.9p1 (2011-09-06) notes authorized_keys2 is
> deprecated. That's not noted in UPDATING either. Without the comment in
> sshd_config it I would still be looking. One of the guys I work with has
> never used authorized_keys2 so I would have gotten it eventually from
> that. Back in the very eary ssh days I wanted to do a simple change that
> was eventually implemented. But from that I know I am not up to reading
> the ssh code.

This goes back a while, but the last time use of authorized_keys2 was
removed in head was in Aug 2017 with the upgrade to OpenSSh 7.5p1 which
got merged to stable/11 in Sept 2017 meaning 11.2 doesn't allow it this
time, stable/10 still allows its use.

Back in Mar 2013 (r248465) FreeBSD replaced the use of authorized_keys2
as the previous removal caught many off guard. So keeping support for
this long was a FreeBSD adjustment.

Support for the authorized_keys2 filename was and can be set in
/etc/sshd_config - You will find releng/8.3 and releng/9.1 both removed
authorized_keys2 with 8.4 and 9.2 replacing it. Also of note is that
during these changes using authorized_keys was acceptable.

AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

So... our time for saying we weren't warned has long past.

-- 
FreeBSD - the place to B...Securing Domains

Shane Ambler

More information about the freebsd-questions mailing list