Debian Bug report logs - #191015
ssh: Deprecated option "fallbacktorsh"

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Sam Vilain <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: ssh: Deprecated option "fallbacktorsh"

Date: Mon, 28 Apr 2003 13:07:10 +1200

Package: ssh
Version: 1:3.4p1-1
Severity: important

Why was this important integration feature removed (FallBackToRSH)?

It claims to be deprecated, yet doesn't even work.  Now I have to
explicity use "rsh" everywhere that I was using "ssh" for convenience.
This isn't deprecating the option, this is deprecating the
functionality.  And what else is SSH but an embodyment of the
deprecation of RSH?

This is disappointing, the OpenSSH team seem to take a very
narrow-minded view to the use of their code.  Removing the "none"
cipher, arbitrarily setting over-paranoid default behaviour, wierd
authentication errors with protocol version 2 that "-v" just won't
shed any light at all on, and now this.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux vilainsa 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                 3.47             Add and remove users and groups
ii  debconf                 1.2.23woody1     Debian configuration management sy
ii  libc6                   2.2.5-11.5       GNU C Library: Shared libraries an
ii  libpam-modules          0.72-35          Pluggable Authentication Modules f
ii  libpam0g                0.72-35          Pluggable Authentication Modules l
ii  libssl0.9.6             0.9.6c-2.woody.3 SSL shared libraries
ii  libwrap0                7.6-9            Wietse Venema's TCP wrappers libra
ii  zlib1g                  1:1.1.4-1        compression library - runtime

Message #10 received at [email protected] (full text, mbox, reply):

From: Mark Janssen <[email protected]>

To: [email protected]

Subject: FallBackRsh...

Date: 28 Apr 2003 11:06:36 +0200

AFAIK the option was removed (just like the 'none' cipher you are
complaining about) to make sure that in any case when you get a
connection, you can be sure it's an encrypted connection, and you don't
get a plaintext connection without knowing it.

I myself consider this a VERY good reason to remove rsh. If you want
rsh, type rsh. Besides that, I can't see ANY reason to still be using
rsh, since openssh run's on just about anything.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl

Message #15 received at [email protected] (full text, mbox, reply):

From: Colin Watson <[email protected]>

To: Sam Vilain <[email protected]>, [email protected]

Subject: [[email protected]: Re: rsh fallback]

Date: Tue, 29 Apr 2003 13:49:33 +0100

----- Forwarded message from Damien Miller <[email protected]> -----

Date: Tue, 29 Apr 2003 22:33:05 +1000
From: Damien Miller <[email protected]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225
To: Colin Watson <[email protected]>
Cc: [email protected]
Subject: Re: rsh fallback
X-Spam-Status: No, hits=-38.8 required=4.5
	tests=BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
	      REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MOZILLA_UA
	autolearn=ham version=2.53
X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)

Colin Watson wrote:
>Hi,
>
>Can anyone remind me of why FallbackToRsh was removed? I've just had a
>somewhat irate Debian bug report about it, and don't really have enough
>information to respond properly.

It was pulled out as we didn't think it appropriate for a "secure shell" 
to fall back to an insecure transport.

-d




----- End forwarded message -----

-- 
Colin Watson                                  [[email protected]]

Message #22 received at [email protected] (full text, mbox, reply):

From: Sam Vilain <[email protected]>

To: Colin Watson <[email protected]>, [email protected]

Cc: Damien Miller <[email protected]>

Subject: Re: [[email protected]: Re: rsh fallback]

Date: Wed, 30 Apr 2003 01:14:33 +1200

On Wed, 30 Apr 2003 00:49, Colin Watson wrote:
> >Can anyone remind me of why FallbackToRsh was removed? I've just had a
> >somewhat irate Debian bug report about it, and don't really have enough
> >information to respond properly.
> It was pulled out as we didn't think it appropriate for a "secure shell"
> to fall back to an insecure transport.

Please, put it back.  It is damned handy when you find yourself in a 
network that happens to use rsh for a few hosts.  The whole idea of ssh 
(originally) was that it was a `drop-in' replacement for rsh.  And 
`dropping it in' to a legacy network, needs this kind of feature.  Believe 
it or not, there are systems that still use rsh.  I am managing a network 
with about a dozen old QNX boxes running manufacturing plants, which have 
rsh but no C compiler.  It's simply not worth trying to get SSH to run on 
them.  But, I'd like to access them without using `rsh' so that I can 
configure which hosts are RSH hosts in my ~/.ssh/config.

I think it is good that the default behaviour is not to fall back; so, it 
requires the system administrator to set up local policy or the user to 
explicitly allow the behaviour.  On one large network I was involved in 
tightening, during the rollout period we used this feature extensively so 
that old hosts could communicate with new hosts without any modification.  
This was with (v1.x) F-Secure SSH.

You should stay away from enforcing your own policies on your users.  You 
might think that they are sound, but others might see them as draconian 
and unnecessary.  Like, for instance, removing the `-c none' option from 
the default debian binary - which is a complete pain when you just want to 
use SSH for convenience of authentication and not strong encryption.

Apologies if my report seemed irate, I hope you can understand my 
frustration at having a feature that I've used for years removed without 
warning.
-- 
Sam Vilain, [email protected]

Real computer scientists love the concept of users.  Users are always
real impressed by the stuff computer scientists are talking about; it
sure sounds better than the stuff they are being forced to use now.

Message #27 received at [email protected] (full text, mbox, reply):

From: Damien Miller <[email protected]>

To: Sam Vilain <[email protected]>, [email protected], [email protected]

Subject: Re: [[email protected]: Re: rsh fallback]

Date: Tue, 29 Apr 2003 23:34:24 +1000

[Message part 1 (text/plain, inline)]

Sam Vilain wrote:
> On Wed, 30 Apr 2003 00:49, Colin Watson wrote:
> 
>>>Can anyone remind me of why FallbackToRsh was removed? I've just had a
>>>somewhat irate Debian bug report about it, and don't really have enough
>>>information to respond properly.
>>
>>It was pulled out as we didn't think it appropriate for a "secure shell"
>>to fall back to an insecure transport.
> 
> 
> Please, put it back. 

That is not going to happen in any official version, sorry.

> You should stay away from enforcing your own policies on your users.  You 
> might think that they are sound, but others might see them as draconian 
> and unnecessary.  Like, for instance, removing the `-c none' option from 
> the default debian binary - which is a complete pain when you just want to 
> use SSH for convenience of authentication and not strong encryption.

I don't think OpenSSH ever supported "-c none" in out official versions. 
People complain about the absence of that too, but we don't want to make 
software which is unsafe to use.

If you are willing to patch your software, the diff used to deprecate 
the rsh fallback it attached. It has probably suffered bitrot since last 
yeat, but with a bit of cleaning it could be used to restore the 
functionality for you.

-d

[norsh.diff (text/plain, inline)]

Index: readconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/readconf.c,v
retrieving revision 1.95
diff -u -r1.95 readconf.c
--- readconf.c	4 Feb 2002 12:15:25 -0000	1.95
+++ readconf.c	12 May 2002 10:41:27 -0000
@@ -41,7 +41,7 @@
    # that they are given in.
 
    Host *.ngs.fi ngs.fi
-     FallBackToRsh no
+     User foo
 
    Host fake.com
      HostName another.host.name.real.org
@@ -65,7 +65,7 @@
      ProxyCommand ssh-proxy %h %p
 
    Host *.fr
-     UseRsh yes
+     PublicKeyAuthentication no
 
    Host *.su
      Cipher none
@@ -79,8 +79,6 @@
      PasswordAuthentication yes
      RSAAuthentication yes
      RhostsRSAAuthentication yes
-     FallBackToRsh no
-     UseRsh no
      StrictHostKeyChecking yes
      KeepAlives no
      IdentityFile ~/.ssh/identity
@@ -94,7 +92,7 @@
 typedef enum {
 	oBadOption,
 	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
-	oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
+	oPasswordAuthentication, oRSAAuthentication, 
 	oChallengeResponseAuthentication, oXAuthLocation,
 #if defined(KRB4) || defined(KRB5)
 	oKerberosAuthentication,
@@ -150,8 +148,6 @@
 #ifdef AFS
 	{ "afstokenpassing", oAFSTokenPassing },
 #endif
-	{ "fallbacktorsh", oFallBackToRsh },
-	{ "usersh", oUseRsh },
 	{ "identityfile", oIdentityFile },
 	{ "identityfile2", oIdentityFile },			/* alias */
 	{ "hostname", oHostName },
@@ -371,14 +367,6 @@
 		intptr = &options->afs_token_passing;
 		goto parse_flag;
 #endif
-	case oFallBackToRsh:
-		intptr = &options->fallback_to_rsh;
-		goto parse_flag;
-
-	case oUseRsh:
-		intptr = &options->use_rsh;
-		goto parse_flag;
-
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
@@ -763,8 +751,6 @@
 	options->kbd_interactive_devices = NULL;
 	options->rhosts_rsa_authentication = -1;
 	options->hostbased_authentication = -1;
-	options->fallback_to_rsh = -1;
-	options->use_rsh = -1;
 	options->batch_mode = -1;
 	options->check_host_ip = -1;
 	options->strict_host_key_checking = -1;
@@ -847,10 +833,6 @@
 		options->rhosts_rsa_authentication = 1;
 	if (options->hostbased_authentication == -1)
 		options->hostbased_authentication = 0;
-	if (options->fallback_to_rsh == -1)
-		options->fallback_to_rsh = 0;
-	if (options->use_rsh == -1)
-		options->use_rsh = 0;
 	if (options->batch_mode == -1)
 		options->batch_mode = 0;
 	if (options->check_host_ip == -1)
Index: readconf.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/readconf.h,v
retrieving revision 1.42
diff -u -r1.42 readconf.h
--- readconf.h	4 Mar 2002 17:27:39 -0000	1.42
+++ readconf.h	12 May 2002 10:41:27 -0000
@@ -54,8 +54,6 @@
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 	char	*kbd_interactive_devices; /* Keyboard-interactive auth devices. */
-	int     fallback_to_rsh;/* Use rsh if cannot connect with ssh. */
-	int     use_rsh;	/* Always use rsh (don\'t try ssh). */
 	int     batch_mode;	/* Batch mode: do not ask for passwords. */
 	int     check_host_ip;	/* Also keep track of keys for IP address */
 	int     strict_host_key_checking;	/* Strict host key checking. */
Index: ssh.1
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.1,v
retrieving revision 1.151
diff -u -r1.151 ssh.1
--- ssh.1	6 May 2002 23:34:33 -0000	1.151
+++ ssh.1	12 May 2002 10:41:33 -0000
@@ -808,8 +808,7 @@
 .Xr gzip 1 .
 Note that this option applies to protocol version 1 only.
 .It Cm ConnectionAttempts
-Specifies the number of tries (one per second) to make before falling
-back to rsh or exiting.
+Specifies the number of tries (one per second) to make before exiting.
 The argument must be an integer.
 This may be useful in scripts if the connection sometimes fails.
 The default is 1.
@@ -836,21 +835,6 @@
 to disable the escape
 character entirely (making the connection transparent for binary
 data).
-.It Cm FallBackToRsh
-Specifies that if connecting via
-.Nm
-fails due to a connection refused error (there is no
-.Xr sshd 8
-listening on the remote host),
-.Xr rsh 1
-should automatically be used instead (after a suitable warning about
-the session being unencrypted).
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
 .It Cm ForwardAgent
 Specifies whether the connection to the authentication agent (if any)
 will be forwarded to the remote machine.
@@ -1200,22 +1184,6 @@
 Specifies a file to use for the user
 host key database instead of
 .Pa $HOME/.ssh/known_hosts .
-.It Cm UseRsh
-Specifies that rlogin/rsh should be used for this host.
-It is possible that the host does not at all support the
-.Nm
-protocol.
-This causes
-.Nm
-to immediately execute
-.Xr rsh 1 .
-All other options (except
-.Cm HostName )
-are ignored if this has been specified.
-The argument must be
-.Dq yes
-or
-.Dq no .
 .It Cm XAuthLocation
 Specifies the ___location of the
 .Xr xauth 1
Index: ssh.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
retrieving revision 1.170
diff -u -r1.170 ssh.c
--- ssh.c	22 Apr 2002 21:04:52 -0000	1.170
+++ ssh.c	12 May 2002 10:41:36 -0000
@@ -195,44 +195,6 @@
 	exit(1);
 }
 
-/*
- * Connects to the given host using rsh (or prints an error message and exits
- * if rsh is not available).  This function never returns.
- */
-static void
-rsh_connect(char *host, char *user, Buffer * command)
-{
-	char *args[10];
-	int i;
-
-	log("Using rsh.  WARNING: Connection will not be encrypted.");
-	/* Build argument list for rsh. */
-	i = 0;
-	args[i++] = _PATH_RSH;
-	/* host may have to come after user on some systems */
-	args[i++] = host;
-	if (user) {
-		args[i++] = "-l";
-		args[i++] = user;
-	}
-	if (buffer_len(command) > 0) {
-		buffer_append(command, "\0", 1);
-		args[i++] = buffer_ptr(command);
-	}
-	args[i++] = NULL;
-	if (debug_flag) {
-		for (i = 0; args[i]; i++) {
-			if (i != 0)
-				fprintf(stderr, " ");
-			fprintf(stderr, "%s", args[i]);
-		}
-		fprintf(stderr, "\n");
-	}
-	execv(_PATH_RSH, args);
-	perror(_PATH_RSH);
-	exit(1);
-}
-
 static int ssh_session(void);
 static int ssh_session2(void);
 static void load_public_identity_files(void);
@@ -633,24 +595,6 @@
 		    "originating port will not be trusted.");
 		options.rhosts_authentication = 0;
 	}
-	/*
-	 * If using rsh has been selected, exec it now (without trying
-	 * anything else).  Note that we must release privileges first.
-	 */
-	if (options.use_rsh) {
-		/*
-		 * Restore our superuser privileges.  This must be done
-		 * before permanently setting the uid.
-		 */
-		restore_uid();
-
-		/* Switch to the original uid permanently. */
-		permanently_set_uid(pw);
-
-		/* Execute rsh. */
-		rsh_connect(host, options.user, &command);
-		fatal("rsh_connect returned");
-	}
 	/* Restore our superuser privileges. */
 	restore_uid();
 
@@ -706,21 +650,9 @@
 		if (mkdir(buf, 0700) < 0)
 			error("Could not create directory '%.200s'.", buf);
 
-	/* Check if the connection failed, and try "rsh" if appropriate. */
-	if (cerr) {
-		if (!options.fallback_to_rsh)
-			exit(1);
-		if (options.port != 0)
-			log("Secure connection to %.100s on port %hu refused; "
-			    "reverting to insecure method",
-			    host, options.port);
-		else
-			log("Secure connection to %.100s refused; "
-			    "reverting to insecure method.", host);
+	if (cerr)
+		exit(1);
 
-		rsh_connect(host, options.user, &command);
-		fatal("rsh_connect returned");
-	}
 	/* load options.identity_files */
 	load_public_identity_files();
 

Send a report that this bug log contains spam.