OpenBSD Journal

OpenSSH Removes SSHv1 Support

Contributed by pitrh on from the it was a step up from telnet once dept.

In a series of commits starting here and ending with this one, Damien Miller completed the removal of all support for the now-historic SSHv1 protocol from OpenSSH.

The final commit message, for the commit that removes the SSHv1 related regression tests, reads:

Eliminate explicit specification of protocol in tests and loops over protocol. We only support SSHv2 now.

Dropping support for SSHv1 and associated ciphers that were either suspected to or known to be broken has been planned for several releases, and has been eagerly anticipated by many in the OpenBSD camp.

In practical terms this means that starting with OpenBSD-current and snapshots as they will be very soon (and further down the road OpenBSD 6.2 with OpenSSH 7.6), the arcane options you used with ssh to connect to some end-of-life gear in a derelict data centre you don't want to visit anymore will no longer work and you will be forced do the reasonable thing. Upgrade.

Longtime OpenBSD developer Bob Beck's public reaction on Twitter was to the point:

Others have described the long-planned move variously as "a mercy killing" and "a cause for major celebrations".

Now is a great time to prepare to decommission or upgrade any equipment that still relies on the long deprecated protocol. You will be making your users safer in the process.

(Comments are closed)

  1. By Renaud Allard (renaud) on

    OpenBSD 6.1 already has Openssh 7.5. I suppose you meant 7.6

    1. By Peter N. M. Hansteen (pitrh) on

      > OpenBSD 6.1 already has Openssh 7.5. I suppose you meant 7.6

      corrected in the stor, thanks!

    2. By Anonymous Coward ( on

      > OpenBSD 6.1 already has Openssh 7.5. I suppose you meant 7.6
      Then how come on and the OpenBSD 6.1 announcement, it has "OpenSSH 7.4" on it?

  2. By sthen ( on

    Even as a user of end-of-life networking gear, removing SSHv1 really isn't going to have much effect. And I'm still going to need the arcane options (mostly for old kex methods).

  3. By Bob Beck ( on

    In all honesty, if you are using this still (as I am to access some old terminal services used for OOB serial access) - You already have to
    have the device itself firewalled off from the universe by something modern (i.e. an OpenBSD box in front of it and a private network). At that point the solution is really simple. These devices all support telnet. Just use telnet.

    1. By Darren Tucker (dtucker) on

      It's also pretty easy to build and install openssh 7.5p1 on another path and keep that around specifically for talking to those devices.

      We even fixed one or two SSHv1 bugs for 7.5 knowing that it was about to be ripped out to support this kind of use case.

  4. By Anonymous Cowboy ( on

    In OpenBSD 6.1 changelog, OpenSSH 7.4 changes state "Server support for the SSH v.1 protocol has been removed."

    So presumably, the recent changes here are for the client support, and probably removing the existing dead code on the server side. Server-side support was already removed before.

  5. By Taylor ( on

    It's so sad that you have officially discontinued support for the SSHv1 Support. I would like to thank the author for sharing these relevant updates. I think this post will be a reference to all computer science students. Do post more new changes in OpenBSD journal. apple tablets wholesale


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]