Commit Information - Title: Remove support for pre-authentication compression. - Author: djmdjim - Date: Sep 29, 2016 - Summary: Compression during pre-authentication may have seemed reasonable in the 1990s, but in today’s environment, it has serious flaws in encryption (e.g., in TLS) and attack surface. Additionally, to support this feature on privilege-separated zlib, an assistant was required to coordinate a complex shared memory manager, significantly increasing the attack surface. Prompted by Guido Vranken’s observation about security checks hidden in compiler-generated shared memory management; ok ok deraadt@ markus@ Key Code Changes - 13 files modified, with 19 lines added and 589 lines removed Removed Files - - Added/Modified Code Example Security Impact Explanation - While using compression in early protocol stages may have been reasonable in the past, in today’s context—especially with encryption and TLS exploitation of compression-related attacks—it is a poor idea that greatly increases the attack surface. - Pre-authentication compression has been removed; this feature had been disabled by default in sshd for over 10 years. This commit clearly demonstrates an effort to enhance the security of OpenSSH under OpenBSD by eliminating an unnecessary and potentially risky feature—pre-authentication compression—thereby reducing potential attack vectors, particularly during the pre-authentication phase. This reflects proactive vulnerability mitigation in secure software development.