Ssh – Deprecated options when restarting openssh in Stretch

debianopenssh

Today, after doing updates in Debian Stretch, it started displaying these warnings when restarting the ssh service with my current config:

/etc/ssh/sshd_config line 17: Deprecated option KeyRegenerationInterval
/etc/ssh/sshd_config line 18: Deprecated option ServerKeyBits
/etc/ssh/sshd_config line 29: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 36: Deprecated option RhostsRSAAuthentication
[....] Restarting OpenBSD Secure Shell server: sshd
/etc/ssh/sshd_config line 17: Deprecated option KeyRegenerationInterval
/etc/ssh/sshd_config line 18: Deprecated option ServerKeyBits
/etc/ssh/sshd_config line 29: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 36: Deprecated option RhostsRSAAuthentication

What is happening here?

Using Debian 9 with OpenSSH 7.4

Best Answer

In the current Stretch update, openssh version changed from 7.3 to 7.4, released on 2016-Dec-19.

As it can be inferred from the Release notes, and from @Jakuje comments, OpenSSH maintainers have removed the corresponding configuration options for good, as they are obsolete.

So the lines can be safely removed.

Also, take head of:

Future deprecation notice

We plan on retiring more legacy cryptography in future releases, specifically:

In approximately August 2017, removing remaining support for the
SSH v.1 protocol (client-only and currently compile-time disabled).

In the same release, removing support for Blowfish and RC4 ciphers and the RIPE-MD160 HMAC. (These are currently run-time disabled).

Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)

The next release of OpenSSH will remove support for running sshd(8) with privilege separation disabled.

The next release of portable OpenSSH will remove support for
OpenSSL version prior to 1.0.1.

Related Solutions

Ssh – OpenSSH: How to end a match block

To end up a match block with openssh 6.5p1 or above, use the line: Match all

Here is a piece of code, taken from my /etc/ssh/sshd_config file:

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Match host 192.168.1.12
    PasswordAuthentication yes
Match all

X11Forwarding yes
X11DisplayOffset 10

A line with a sole Match won't work. (It didn't work for me, sshd refused to start)

OpenSSH Client – Options Override for Configuration

OpenSSH options might behave somehow strange on the first sight. But manual page for ssh_config documents it well:

For each parameter, the first obtained value will be used. The configuration files contain sections separated by “Host” specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is usually the one given on the command line (see the CanonicalizeHostname option for exceptions.)

You might rewrite your config like this to achieve what you need:

Host github
    HostKeyAlgorithms ssh-rsa
    Hostname        github.com
    Port            22
    User            git
    PubkeyAuthentication yes
    IdentityFile    ~/.ssh/some-filename-here
Host *
    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256

Best Answer

Related Solutions

Ssh – OpenSSH: How to end a match block

OpenSSH Client – Options Override for Configuration

Related Question