Debian Bug report logs -
#191015
ssh: Deprecated option "fallbacktorsh"
Full log
Message #27 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Sam Vilain wrote:
> On Wed, 30 Apr 2003 00:49, Colin Watson wrote:
>
>>>Can anyone remind me of why FallbackToRsh was removed? I've just had a
>>>somewhat irate Debian bug report about it, and don't really have enough
>>>information to respond properly.
>>
>>It was pulled out as we didn't think it appropriate for a "secure shell"
>>to fall back to an insecure transport.
>
>
> Please, put it back.
That is not going to happen in any official version, sorry.
> You should stay away from enforcing your own policies on your users. You
> might think that they are sound, but others might see them as draconian
> and unnecessary. Like, for instance, removing the `-c none' option from
> the default debian binary - which is a complete pain when you just want to
> use SSH for convenience of authentication and not strong encryption.
I don't think OpenSSH ever supported "-c none" in out official versions.
People complain about the absence of that too, but we don't want to make
software which is unsafe to use.
If you are willing to patch your software, the diff used to deprecate
the rsh fallback it attached. It has probably suffered bitrot since last
yeat, but with a bit of cleaning it could be used to restore the
functionality for you.
-d
[norsh.diff (text/plain, inline)]
Index: readconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/readconf.c,v
retrieving revision 1.95
diff -u -r1.95 readconf.c
--- readconf.c 4 Feb 2002 12:15:25 -0000 1.95
+++ readconf.c 12 May 2002 10:41:27 -0000
@@ -41,7 +41,7 @@
# that they are given in.
Host *.ngs.fi ngs.fi
- FallBackToRsh no
+ User foo
Host fake.com
HostName another.host.name.real.org
@@ -65,7 +65,7 @@
ProxyCommand ssh-proxy %h %p
Host *.fr
- UseRsh yes
+ PublicKeyAuthentication no
Host *.su
Cipher none
@@ -79,8 +79,6 @@
PasswordAuthentication yes
RSAAuthentication yes
RhostsRSAAuthentication yes
- FallBackToRsh no
- UseRsh no
StrictHostKeyChecking yes
KeepAlives no
IdentityFile ~/.ssh/identity
@@ -94,7 +92,7 @@
typedef enum {
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
- oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
+ oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
#if defined(KRB4) || defined(KRB5)
oKerberosAuthentication,
@@ -150,8 +148,6 @@
#ifdef AFS
{ "afstokenpassing", oAFSTokenPassing },
#endif
- { "fallbacktorsh", oFallBackToRsh },
- { "usersh", oUseRsh },
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* alias */
{ "hostname", oHostName },
@@ -371,14 +367,6 @@
intptr = &options->afs_token_passing;
goto parse_flag;
#endif
- case oFallBackToRsh:
- intptr = &options->fallback_to_rsh;
- goto parse_flag;
-
- case oUseRsh:
- intptr = &options->use_rsh;
- goto parse_flag;
-
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -763,8 +751,6 @@
options->kbd_interactive_devices = NULL;
options->rhosts_rsa_authentication = -1;
options->hostbased_authentication = -1;
- options->fallback_to_rsh = -1;
- options->use_rsh = -1;
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -847,10 +833,6 @@
options->rhosts_rsa_authentication = 1;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
- if (options->fallback_to_rsh == -1)
- options->fallback_to_rsh = 0;
- if (options->use_rsh == -1)
- options->use_rsh = 0;
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
Index: readconf.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/readconf.h,v
retrieving revision 1.42
diff -u -r1.42 readconf.h
--- readconf.h 4 Mar 2002 17:27:39 -0000 1.42
+++ readconf.h 12 May 2002 10:41:27 -0000
@@ -54,8 +54,6 @@
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
- int fallback_to_rsh;/* Use rsh if cannot connect with ssh. */
- int use_rsh; /* Always use rsh (don\'t try ssh). */
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
Index: ssh.1
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.1,v
retrieving revision 1.151
diff -u -r1.151 ssh.1
--- ssh.1 6 May 2002 23:34:33 -0000 1.151
+++ ssh.1 12 May 2002 10:41:33 -0000
@@ -808,8 +808,7 @@
.Xr gzip 1 .
Note that this option applies to protocol version 1 only.
.It Cm ConnectionAttempts
-Specifies the number of tries (one per second) to make before falling
-back to rsh or exiting.
+Specifies the number of tries (one per second) to make before exiting.
The argument must be an integer.
This may be useful in scripts if the connection sometimes fails.
The default is 1.
@@ -836,21 +835,6 @@
to disable the escape
character entirely (making the connection transparent for binary
data).
-.It Cm FallBackToRsh
-Specifies that if connecting via
-.Nm
-fails due to a connection refused error (there is no
-.Xr sshd 8
-listening on the remote host),
-.Xr rsh 1
-should automatically be used instead (after a suitable warning about
-the session being unencrypted).
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
@@ -1200,22 +1184,6 @@
Specifies a file to use for the user
host key database instead of
.Pa $HOME/.ssh/known_hosts .
-.It Cm UseRsh
-Specifies that rlogin/rsh should be used for this host.
-It is possible that the host does not at all support the
-.Nm
-protocol.
-This causes
-.Nm
-to immediately execute
-.Xr rsh 1 .
-All other options (except
-.Cm HostName )
-are ignored if this has been specified.
-The argument must be
-.Dq yes
-or
-.Dq no .
.It Cm XAuthLocation
Specifies the ___location of the
.Xr xauth 1
Index: ssh.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
retrieving revision 1.170
diff -u -r1.170 ssh.c
--- ssh.c 22 Apr 2002 21:04:52 -0000 1.170
+++ ssh.c 12 May 2002 10:41:36 -0000
@@ -195,44 +195,6 @@
exit(1);
}
-/*
- * Connects to the given host using rsh (or prints an error message and exits
- * if rsh is not available). This function never returns.
- */
-static void
-rsh_connect(char *host, char *user, Buffer * command)
-{
- char *args[10];
- int i;
-
- log("Using rsh. WARNING: Connection will not be encrypted.");
- /* Build argument list for rsh. */
- i = 0;
- args[i++] = _PATH_RSH;
- /* host may have to come after user on some systems */
- args[i++] = host;
- if (user) {
- args[i++] = "-l";
- args[i++] = user;
- }
- if (buffer_len(command) > 0) {
- buffer_append(command, "\0", 1);
- args[i++] = buffer_ptr(command);
- }
- args[i++] = NULL;
- if (debug_flag) {
- for (i = 0; args[i]; i++) {
- if (i != 0)
- fprintf(stderr, " ");
- fprintf(stderr, "%s", args[i]);
- }
- fprintf(stderr, "\n");
- }
- execv(_PATH_RSH, args);
- perror(_PATH_RSH);
- exit(1);
-}
-
static int ssh_session(void);
static int ssh_session2(void);
static void load_public_identity_files(void);
@@ -633,24 +595,6 @@
"originating port will not be trusted.");
options.rhosts_authentication = 0;
}
- /*
- * If using rsh has been selected, exec it now (without trying
- * anything else). Note that we must release privileges first.
- */
- if (options.use_rsh) {
- /*
- * Restore our superuser privileges. This must be done
- * before permanently setting the uid.
- */
- restore_uid();
-
- /* Switch to the original uid permanently. */
- permanently_set_uid(pw);
-
- /* Execute rsh. */
- rsh_connect(host, options.user, &command);
- fatal("rsh_connect returned");
- }
/* Restore our superuser privileges. */
restore_uid();
@@ -706,21 +650,9 @@
if (mkdir(buf, 0700) < 0)
error("Could not create directory '%.200s'.", buf);
- /* Check if the connection failed, and try "rsh" if appropriate. */
- if (cerr) {
- if (!options.fallback_to_rsh)
- exit(1);
- if (options.port != 0)
- log("Secure connection to %.100s on port %hu refused; "
- "reverting to insecure method",
- host, options.port);
- else
- log("Secure connection to %.100s refused; "
- "reverting to insecure method.", host);
+ if (cerr)
+ exit(1);
- rsh_connect(host, options.user, &command);
- fatal("rsh_connect returned");
- }
/* load options.identity_files */
load_public_identity_files();
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>.
Last modified:
Tue May 13 17:49:11 2025;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.