eliminate explicit specification of protocol in tests and loops over

protocol. We only support SSHv2 now.
author: djm <djm@openbsd.org> 2017-04-30 23:34:55 +0000
committer: djm <djm@openbsd.org> 2017-04-30 23:34:55 +0000
commit: 773d7cab3491aecbc30a1aeed07f6302b0fc24d2 (patch)
tree: 03287e768dd34aec8243b0c91a2466961879920f
parent: remove SSHv1 support from unit tests (diff)
download: wireguard-openbsd-773d7cab3491aecbc30a1aeed07f6302b0fc24d2.tar.xz
wireguard-openbsd-773d7cab3491aecbc30a1aeed07f6302b0fc24d2.zip
39 files changed, 519 insertions, 685 deletions
diff --git a/regress/usr.bin/ssh/agent-pkcs11.sh b/regress/usr.bin/ssh/agent-pkcs11.sh
index 3aa20c8b1ee..db3018b885f 100644
--- a/regress/usr.bin/ssh/agent-pkcs11.sh
+++ b/regress/usr.bin/ssh/agent-pkcs11.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $
+#	$OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="pkcs11 agent test"
@@ -53,7 +53,7 @@ else
 	fi
 
 	trace "pkcs11 connect via agent"
-	${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
+	${SSH} -F $OBJ/ssh_proxy somehost exit 5
 	r=$?
 	if [ $r -ne 5 ]; then
 		fail "ssh connect failed (exit code $r)"
diff --git a/regress/usr.bin/ssh/agent.sh b/regress/usr.bin/ssh/agent.sh
index c5e2794b763..0baf0c74a28 100644
--- a/regress/usr.bin/ssh/agent.sh
+++ b/regress/usr.bin/ssh/agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="simple agent test"
@@ -46,28 +46,24 @@ else
 	fi
 
 	trace "simple connect via agent"
-	for p in ${SSH_PROTOCOLS}; do
-		${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
-		r=$?
-		if [ $r -ne 5$p ]; then
-			fail "ssh connect with protocol $p failed (exit code $r)"
-		fi
-	done
+	${SSH} -F $OBJ/ssh_proxy somehost exit 52
+	r=$?
+	if [ $r -ne 52 ]; then
+		fail "ssh connect with failed (exit code $r)"
+	fi
 
 	trace "agent forwarding"
-	for p in ${SSH_PROTOCOLS}; do
-		${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
-		r=$?
-		if [ $r -ne 0 ]; then
-			fail "ssh-add -l via agent fwd proto $p failed (exit code $r)"
-		fi
-		${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
-			"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
-		r=$?
-		if [ $r -ne 5$p ]; then
-			fail "agent fwd proto $p failed (exit code $r)"
-		fi
-	done
+	${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -l via agent fwd failed (exit code $r)"
+	fi
+	${SSH} -A -F $OBJ/ssh_proxy somehost \
+		"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
+	r=$?
+	if [ $r -ne 52 ]; then
+		fail "agent fwd failed (exit code $r)"
+	fi
 
 	trace "delete all agent keys"
 	${SSHADD} -D > /dev/null 2>&1
diff --git a/regress/usr.bin/ssh/banner.sh b/regress/usr.bin/ssh/banner.sh
index 0b9c9500749..0d9654fe247 100644
--- a/regress/usr.bin/ssh/banner.sh
+++ b/regress/usr.bin/ssh/banner.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
+#	$OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="banner"
@@ -9,7 +9,7 @@ touch $OBJ/empty.in
 
 trace "test missing banner file"
 verbose "test $tid: missing banner file"
-( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
 	cmp $OBJ/empty.in $OBJ/banner.out ) || \
 	fail "missing banner file"
 
@@ -30,14 +30,14 @@ for s in 0 10 100 1000 10000 100000 ; do
 
 	trace "test banner size $s"
 	verbose "test $tid: size $s"
-	( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+	( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
 		cmp $OBJ/banner.in $OBJ/banner.out ) || \
 		fail "banner size $s mismatch"
 done
 
 trace "test suppress banner (-q)"
 verbose "test $tid: suppress banner (-q)"
-( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
 	cmp $OBJ/empty.in $OBJ/banner.out ) || \
 	fail "suppress banner (-q)"
 
diff --git a/regress/usr.bin/ssh/broken-pipe.sh b/regress/usr.bin/ssh/broken-pipe.sh
index a416f7a3b52..c69276e2705 100644
--- a/regress/usr.bin/ssh/broken-pipe.sh
+++ b/regress/usr.bin/ssh/broken-pipe.sh
@@ -1,15 +1,12 @@
-#	$OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="broken pipe test"
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "protocol $p"
-	for i in 1 2 3 4; do
-		${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
-		r=$?
-		if [ $r -ne 0 ]; then
-			fail "broken pipe returns $r for protocol $p"
-		fi
-	done
+for i in 1 2 3 4; do
+	${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "broken pipe returns $r"
+	fi
 done
diff --git a/regress/usr.bin/ssh/brokenkeys.sh b/regress/usr.bin/ssh/brokenkeys.sh
index 3e70c348ac3..9d5a54fa9db 100644
--- a/regress/usr.bin/ssh/brokenkeys.sh
+++ b/regress/usr.bin/ssh/brokenkeys.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
+#	$OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="broken keys"
@@ -14,9 +14,9 @@ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
 cat ${KEYS}.bak >> ${KEYS}
 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
 
-${SSH} -2 -F $OBJ/ssh_config somehost true
+${SSH} -F $OBJ/ssh_config somehost true
 if [ $? -ne 0 ]; then
-	fail "ssh connect with protocol $p failed"
+	fail "ssh connect with failed"
 fi
 
 mv ${KEYS}.bak ${KEYS}
diff --git a/regress/usr.bin/ssh/cert-file.sh b/regress/usr.bin/ssh/cert-file.sh
index 43b8e02014c..8fd62c7730d 100644
--- a/regress/usr.bin/ssh/cert-file.sh
+++ b/regress/usr.bin/ssh/cert-file.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $
+#	$OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="ssh with certificates"
@@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config
 # XXX: verify that certificate used was what we expect. Needs exposure of
 # keys via enviornment variable or similar.
 
-for p in ${SSH_PROTOCOLS}; do
 	# Key with no .pub should work - finding the equivalent *-cert.pub.
-	verbose "protocol $p: identity cert with no plain public file"
-	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-	    -i $OBJ/user_key3 somehost exit 5$p
-	[ $? -ne 5$p ] && fail "ssh failed"
-
-	# CertificateFile matching private key with no .pub file should work.
-	verbose "protocol $p: CertificateFile with no plain public file"
-	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-	    -oCertificateFile=$OBJ/user_key3-cert.pub \
-	    -i $OBJ/user_key3 somehost exit 5$p
-	[ $? -ne 5$p ] && fail "ssh failed"
-
-	# Just keys should fail
-	verbose "protocol $p: plain keys"
-	${SSH} $opts2 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with no certs in protocol $p"
-	fi
-
-	# Keys with untrusted cert should fail.
-	verbose "protocol $p: untrusted cert"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with bad cert in protocol $p"
-	fi
-
-	# Good cert with bad key should fail.
-	verbose "protocol $p: good cert, bad key"
-	opts3="$opts -i $OBJ/user_key2"
-	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with no matching key in protocol $p"
-	fi
-
-	# Keys with one trusted cert, should succeed.
-	verbose "protocol $p: single trusted"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -ne 5$p ]; then
-		fail "ssh failed with trusted cert and key in protocol $p"
-	fi
-
-	# Multiple certs and keys, with one trusted cert, should succeed.
-	verbose "protocol $p: multiple trusted"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -ne 5$p ]; then
-		fail "ssh failed with multiple certs in protocol $p"
-	fi
-done
+verbose "identity cert with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+    -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# CertificateFile matching private key with no .pub file should work.
+verbose "CertificateFile with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+    -oCertificateFile=$OBJ/user_key3-cert.pub \
+    -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# Just keys should fail
+verbose "plain keys"
+${SSH} $opts2 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with no certs"
+fi
+
+# Keys with untrusted cert should fail.
+verbose "untrusted cert"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with bad cert"
+fi
+
+# Good cert with bad key should fail.
+verbose "good cert, bad key"
+opts3="$opts -i $OBJ/user_key2"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with no matching key"
+fi
+
+# Keys with one trusted cert, should succeed.
+verbose "single trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+	fail "ssh failed with trusted cert and key"
+fi
+
+# Multiple certs and keys, with one trusted cert, should succeed.
+verbose "multiple trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+	fail "ssh failed with multiple certs"
+fi
 
 #next, using an agent in combination with the keys
 SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
@@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then
 fi
 
 # try ssh with the agent and certificates
-# note: ssh agent only uses certificates in protocol 2
 opts="-F $OBJ/ssh_proxy"
 # with no certificates, shoud fail
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-	fail "ssh connect with agent in protocol 2 succeeded with no cert"
+	fail "ssh connect with agent in succeeded with no cert"
 fi
 
 #with an untrusted certificate, should fail
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-	fail "ssh connect with agent in protocol 2 succeeded with bad cert"
+	fail "ssh connect with agent in succeeded with bad cert"
 fi
 
 #with an additional trusted certificate, should succeed
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -ne 52 ]; then
-	fail "ssh connect with agent in protocol 2 failed with good cert"
+	fail "ssh connect with agent in failed with good cert"
 fi
 
 trace "kill agent"
diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh
index 62261cf8b3b..3d5732a5d4f 100644
--- a/regress/usr.bin/ssh/cert-hostkey.sh
+++ b/regress/usr.bin/ssh/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -104,7 +104,7 @@ attempt_connect() {
 	shift; shift
 	verbose "$tid: $_ident expect success $_expect_success"
 	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 	    "$@" -F $OBJ/ssh_proxy somehost true
 	_r=$?
@@ -169,7 +169,7 @@ for privsep in yes no ; do
 		) > $OBJ/sshd_proxy
 
 		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
@@ -190,7 +190,7 @@ for ktype in $PLAIN_TYPES ; do
 		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
 	) > $OBJ/sshd_proxy
 	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
@@ -222,7 +222,7 @@ test_one() {
 		) > $OBJ/sshd_proxy
 
 		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		rc=$?
@@ -271,7 +271,7 @@ for ktype in $PLAIN_TYPES ; do
 		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
 	) > $OBJ/sshd_proxy
 
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		-F $OBJ/ssh_proxy somehost true
 	if [ $? -ne 0 ]; then
@@ -303,7 +303,7 @@ for kt in $PLAIN_TYPES ; do
 	) > $OBJ/sshd_proxy
 
 	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh
index 7005fd55eb6..6a23fe300bf 100644
--- a/regress/usr.bin/ssh/cert-userkey.sh
+++ b/regress/usr.bin/ssh/cert-userkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -67,7 +67,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Missing authorized_principals
 		verbose "$tid: ${_prefix} missing authorized_principals"
 		rm -f $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -76,7 +76,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Empty authorized_principals
 		verbose "$tid: ${_prefix} empty authorized_principals"
 		echo > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -85,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Wrong authorized_principals
 		verbose "$tid: ${_prefix} wrong authorized_principals"
 		echo gregorsamsa > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -94,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Correct authorized_principals
 		verbose "$tid: ${_prefix} correct authorized_principals"
 		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -103,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# authorized_principals with bad key option
 		verbose "$tid: ${_prefix} authorized_principals bad key opt"
 		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -113,7 +113,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		verbose "$tid: ${_prefix} authorized_principals command=false"
 		echo 'command="false" mekmitasdigoat' > \
 		    $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -124,7 +124,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		verbose "$tid: ${_prefix} authorized_principals command=true"
 		echo 'command="true" mekmitasdigoat' > \
 		    $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -148,7 +148,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 			printf 'cert-authority,principals="gregorsamsa" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -160,7 +160,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 			printf 'cert-authority,principals="mekmitasdigoat" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -198,7 +198,7 @@ basic_tests() {
 				echo "PubkeyAcceptedKeyTypes ${t}"
 			) > $OBJ/ssh_proxy
 
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true
 			if [ $? -ne 0 ]; then
 				fail "ssh cert connect failed"
@@ -215,7 +215,7 @@ basic_tests() {
 			) > $OBJ/sshd_proxy
 			cp $OBJ/cert_user_key_${ktype}.pub \
 			    $OBJ/cert_user_key_revoked
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -eq 0 ]; then
 				fail "ssh cert connect succeeded unexpecedly"
@@ -224,14 +224,14 @@ basic_tests() {
 			rm $OBJ/cert_user_key_revoked
 			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
 			    $OBJ/cert_user_key_${ktype}.pub
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -eq 0 ]; then
 				fail "ssh cert connect succeeded unexpecedly"
 			fi
 			verbose "$tid: ${_prefix} empty KRL"
 			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -ne 0 ]; then
 				fail "ssh cert connect failed"
@@ -246,7 +246,7 @@ basic_tests() {
 			echo "PubkeyAcceptedKeyTypes ${t}"
 			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
-		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+		${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 		    somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
@@ -260,7 +260,7 @@ basic_tests() {
 		echo "$extra_sshd"
 	) > $OBJ/sshd_proxy
 	verbose "$tid: ensure CA key does not authenticate user"
-	${SSH} -2i $OBJ/user_ca_key \
+	${SSH} -i $OBJ/user_ca_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect with CA key succeeded unexpectedly"
@@ -307,7 +307,7 @@ test_one() {
 			    $sign_opts $OBJ/cert_user_key_${ktype} ||
 				fail "couldn't sign cert_user_key_${ktype}"
 
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			rc=$?
 			if [ "x$result" = "xsuccess" ] ; then
@@ -378,7 +378,7 @@ for ktype in $PLAIN_TYPES ; do
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fatal "couldn't sign cert_user_key_${ktype}"
 	verbose "$tid: user ${ktype} connect wrong cert"
-	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+	${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 	    somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect $ident succeeded unexpectedly"
diff --git a/regress/usr.bin/ssh/cfgmatch.sh b/regress/usr.bin/ssh/cfgmatch.sh
index 05629639865..2504d04f4c5 100644
--- a/regress/usr.bin/ssh/cfgmatch.sh
+++ b/regress/usr.bin/ssh/cfgmatch.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd_config match"
@@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
 start_client()
 {
 	rm -f $pidfile
-	${SSH} -q -$p $fwd "$@" somehost \
+	${SSH} -q $fwd "$@" somehost \
 	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
 	    >>$TEST_REGRESS_LOGFILE 2>&1 &
 	client_pid=$!
@@ -56,22 +56,18 @@ start_sshd
 #set -x
 
 # Test Match + PermitOpen in sshd_config.  This should be permitted
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen localhost proto $p"
-	start_client -F $OBJ/ssh_config
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "match permitopen permit proto $p"
-	stop_client
-done
+trace "match permitopen localhost"
+start_client -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitopen permit"
+stop_client
 
 # Same but from different source.  This should not be permitted
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen proxy proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match permitopen deny proto $p"
-	stop_client
-done
+trace "match permitopen proxy"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+    fail "match permitopen deny"
+stop_client
 
 # Retry previous with key option, should also be denied.
 cp /dev/null $OBJ/authorized_keys_$USER
@@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do
 	printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
 	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
 done
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen proxy w/key opts proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match permitopen deny w/key opt proto $p"
-	stop_client
-done
+trace "match permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+    fail "match permitopen deny w/key opt"
+stop_client
 
 # Test both sshd_config and key options permitting the same dst/port pair.
 # Should be permitted.
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen localhost proto $p"
-	start_client -F $OBJ/ssh_config
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "match permitopen permit proto $p"
-	stop_client
-done
+trace "match permitopen localhost"
+start_client -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitopen permit"
+stop_client
 
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 
 # Test that a Match overrides a PermitOpen in the global section
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen proxy w/key opts proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match override permitopen proto $p"
-	stop_client
-done
+trace "match permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+    fail "match override permitopen"
+stop_client
 
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 
 # Test that a rule that doesn't match doesn't override, plus test a
 # PermitOpen entry that's not at the start of the list
-for p in ${SSH_PROTOCOLS}; do
-	trace "nomatch permitopen proxy w/key opts proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "nomatch override permitopen proto $p"
-	stop_client
-done
+trace "nomatch permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "nomatch override permitopen"
+stop_client
diff --git a/regress/usr.bin/ssh/cipher-speed.sh b/regress/usr.bin/ssh/cipher-speed.sh
index cb56f0d51cb..22d1d7f14fb 100644
--- a/regress/usr.bin/ssh/cipher-speed.sh
+++ b/regress/usr.bin/ssh/cipher-speed.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $
+#	$OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="cipher speed"
@@ -11,16 +11,16 @@ getbytes ()
 tries="1 2"
 
 for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
-	trace "proto 2 cipher $c mac $m"
+	trace "cipher $c mac $m"
 	for x in $tries; do
 		printf "$c/$m:\t"
 		( ${SSH} -o 'compression no' \
-			-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+			-F $OBJ/ssh_proxy -m $m -c $c somehost \
 			exec sh -c \'"dd of=/dev/null obs=32k"\' \
 		< ${DATA} ) 2>&1 | getbytes
 
 		if [ $? -ne 0 ]; then
-			fail "ssh -2 failed with mac $m cipher $c"
+			fail "ssh failed with mac $m cipher $c"
 		fi
 	done
 	# No point trying all MACs for AEAD ciphers since they are ignored.
@@ -30,21 +30,3 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
 	n=$(($n + 1))
 done; done
 
-if ssh_version 1; then
-	ciphers="3des blowfish"
-else
-	ciphers=""
-fi
-for c in $ciphers; do
-	trace "proto 1 cipher $c"
-	for x in $tries; do
-		printf "$c:\t"
-		( ${SSH} -o 'compression no' \
-			-F $OBJ/ssh_proxy -1 -c $c somehost \
-			exec sh -c \'"dd of=/dev/null obs=32k"\' \
-		< ${DATA} ) 2>&1 | getbytes
-		if [ $? -ne 0 ]; then
-			fail "ssh -1 failed with cipher $c"
-		fi
-	done
-done
diff --git a/regress/usr.bin/ssh/connect-privsep.sh b/regress/usr.bin/ssh/connect-privsep.sh
index 0ce6977f6ab..342c3e12397 100644
--- a/regress/usr.bin/ssh/connect-privsep.sh
+++ b/regress/usr.bin/ssh/connect-privsep.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $
+#	$OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="proxy connect with privsep"
@@ -6,30 +6,26 @@ tid="proxy connect with privsep"
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
 echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
-	if [ $? -ne 0 ]; then
-		fail "ssh privsep+proxyconnect protocol $p failed"
-	fi
-done
+${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+if [ $? -ne 0 ]; then
+	fail "ssh privsep+proxyconnect failed"
+fi
 
 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
 echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
-	if [ $? -ne 0 ]; then
-		fail "ssh privsep/sandbox+proxyconnect protocol $p failed"
-	fi
-done
+${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+if [ $? -ne 0 ]; then
+	fail "ssh privsep/sandbox+proxyconnect failed"
+fi
 
 # Because sandbox is sensitive to changes in libc, especially malloc, retest
 # with every malloc.conf option (and none).
 for m in '' C F G J R S U X '<' '>'; do
-    for p in ${SSH_PROTOCOLS}; do
-	env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+	env MALLOC_OPTIONS="$m" \
+		${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
 	if [ $? -ne 0 ]; then
-		fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed"
+		fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed"
 	fi
-    done
 done
+
diff --git a/regress/usr.bin/ssh/connect.sh b/regress/usr.bin/ssh/connect.sh
index f0d55d343d8..1b344b6034e 100644
--- a/regress/usr.bin/ssh/connect.sh
+++ b/regress/usr.bin/ssh/connect.sh
@@ -1,13 +1,11 @@
-#	$OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="simple connect"
 
 start_sshd
 
-for p in ${SSH_PROTOCOLS}; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed"
-	fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with failed"
+fi
diff --git a/regress/usr.bin/ssh/dynamic-forward.sh b/regress/usr.bin/ssh/dynamic-forward.sh
index 80cbc195503..346a3ac921c 100644
--- a/regress/usr.bin/ssh/dynamic-forward.sh
+++ b/regress/usr.bin/ssh/dynamic-forward.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: dynamic-forward.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="dynamic forwarding"
@@ -17,43 +17,42 @@ trace "will use ProxyCommand $proxycmd"
 
 start_sshd
 
-for p in ${SSH_PROTOCOLS}; do
-	n=0
-	error="1"
-	trace "start dynamic forwarding, fork to background"
-	while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
-		n=`expr $n + 1`
-		${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
-		    -oExitOnForwardFailure=yes somehost exec sh -c \
-			\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
-		error=$?
-		if [ "$error" -ne 0 ]; then
-			trace "forward failed proto $p attempt $n err $error"
-			sleep $n
-		fi
-	done
+n=0
+error="1"
+trace "start dynamic forwarding, fork to background"
+while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
+	n=`expr $n + 1`
+	${SSH} -F $OBJ/ssh_config -f -D $FWDPORT -q \
+	    -oExitOnForwardFailure=yes somehost exec sh -c \
+		\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+	error=$?
 	if [ "$error" -ne 0 ]; then
-		fatal "failed to start dynamic forwarding proto $p"
+		trace "forward failed attempt $n err $error"
+		sleep $n
 	fi
+done
+if [ "$error" -ne 0 ]; then
+	fatal "failed to start dynamic forwarding"
+fi
 
-	for s in 4 5; do
-	    for h in 127.0.0.1 localhost; do
-		trace "testing ssh protocol $p socks version $s host $h"
-		${SSH} -F $OBJ/ssh_config \
-			-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
-			somehost cat ${DATA} > ${COPY}
-		test -f ${COPY}	 || fail "failed copy ${DATA}"
-		cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
-	    done
-	done
-
-	if [ -f $OBJ/remote_pid ]; then
-		remote=`cat $OBJ/remote_pid`
-		trace "terminate remote shell, pid $remote"
-		if [ $remote -gt 1 ]; then
-			kill -HUP $remote
-		fi
-	else
-		fail "no pid file: $OBJ/remote_pid"
-	fi
+for s in 4 5; do
+    for h in 127.0.0.1 localhost; do
+	trace "testing ssh socks version $s host $h"
+	${SSH} -F $OBJ/ssh_config \
+		-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
+		somehost cat ${DATA} > ${COPY}
+	test -f ${COPY}	 || fail "failed copy ${DATA}"
+	cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+    done
 done
+
+if [ -f $OBJ/remote_pid ]; then
+	remote=`cat $OBJ/remote_pid`
+	trace "terminate remote shell, pid $remote"
+	if [ $remote -gt 1 ]; then
+		kill -HUP $remote
+	fi
+else
+	fail "no pid file: $OBJ/remote_pid"
+fi
+
diff --git a/regress/usr.bin/ssh/exit-status.sh b/regress/usr.bin/ssh/exit-status.sh
index 397d8d732fe..aadf99fb3c8 100644
--- a/regress/usr.bin/ssh/exit-status.sh
+++ b/regress/usr.bin/ssh/exit-status.sh
@@ -1,24 +1,22 @@
-#	$OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="remote exit status"
 
-for p in ${SSH_PROTOCOLS}; do
-	for s in 0 1 4 5 44; do
-		trace "proto $p status $s"
-		verbose "test $tid: proto $p status $s"
-		${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
-		r=$?
-		if [ $r -ne $s ]; then
-			fail "exit code mismatch for protocol $p: $r != $s"
-		fi
+for s in 0 1 4 5 44; do
+	trace "status $s"
+	verbose "test $tid: status $s"
+	${SSH} -F $OBJ/ssh_proxy otherhost exit $s
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code mismatch for: $r != $s"
+	fi
 
-		# same with early close of stdout/err
-		${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
-                	exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
-		r=$?
-		if [ $r -ne $s ]; then
-			fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
-		fi
-	done
+	# same with early close of stdout/err
+	${SSH} -F $OBJ/ssh_proxy -n otherhost exec \
+	    sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code (with sleep) mismatch for: $r != $s"
+	fi
 done
diff --git a/regress/usr.bin/ssh/forcecommand.sh b/regress/usr.bin/ssh/forcecommand.sh
index 8a9b090ea5d..e059f1fdbc6 100644
--- a/regress/usr.bin/ssh/forcecommand.sh
+++ b/regress/usr.bin/ssh/forcecommand.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="forced command"
@@ -11,11 +11,8 @@ for t in ${SSH_KEYTYPES}; do
 	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
 done
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "forced command in key option proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
+trace "forced command in key option"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
 
 cp /dev/null $OBJ/authorized_keys_$USER
 for t in ${SSH_KEYTYPES}; do
@@ -26,19 +23,13 @@ done
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "ForceCommand true" >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "forced command in sshd_config overrides key option proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
+trace "forced command in sshd_config overrides key option"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
 
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "ForceCommand false" >> $OBJ/sshd_proxy
 echo "Match User $USER" >> $OBJ/sshd_proxy
 echo "    ForceCommand true" >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "forced command with match proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
+trace "forced command with match"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
diff --git a/regress/usr.bin/ssh/forward-control.sh b/regress/usr.bin/ssh/forward-control.sh
index d9289282d1c..49382771f0e 100644
--- a/regress/usr.bin/ssh/forward-control.sh
+++ b/regress/usr.bin/ssh/forward-control.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd control of local and remote forwarding"
@@ -32,13 +32,12 @@ wait_for_process_to_exit() {
 	return 0
 }
 
-# usage: check_lfwd protocol Y|N message
+# usage: check_lfwd Y|N message
 check_lfwd() {
-	_proto=$1
-	_expected=$2
-	_message=$3
+	_expected=$1
+	_message=$2
 	rm -f $READY
-	${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+	${SSH} -F $OBJ/ssh_proxy \
 	    -L$LFWD_PORT:127.0.0.1:$PORT \
 	    -o ExitOnForwardFailure=yes \
 	    -n host "sleep 60 & echo \$! > $READY ; wait " \
@@ -62,13 +61,12 @@ check_lfwd() {
 	fi
 }
 
-# usage: check_rfwd protocol Y|N message
+# usage: check_rfwd Y|N message
 check_rfwd() {
-	_proto=$1
-	_expected=$2
-	_message=$3
+	_expected=$1
+	_message=$2
 	rm -f $READY
-	${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+	${SSH} -F $OBJ/ssh_proxy \
 	    -R$RFWD_PORT:127.0.0.1:$PORT \
 	    -o ExitOnForwardFailure=yes \
 	    -n host "sleep 60 & echo \$! > $READY ; wait " \
@@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
 cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
 
 # Sanity check: ensure the default config allows forwarding
-for p in ${SSH_PROTOCOLS} ; do
-	check_lfwd $p Y "proto $p, default configuration"
-	check_rfwd $p Y "proto $p, default configuration"
-done
+check_lfwd Y "default configuration"
+check_rfwd Y "default configuration"
 
 # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
 all_tests() {
@@ -115,49 +111,46 @@ all_tests() {
 	_permit_rfwd=$7
 	_badfwd=127.0.0.1:22
 	_goodfwd=127.0.0.1:${PORT}
-	for _proto in ${SSH_PROTOCOLS} ; do
-		cp ${OBJ}/authorized_keys_${USER}.bak \
-		    ${OBJ}/authorized_keys_${USER}
-		_prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
-		# No PermitOpen
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_plain_lfwd "$_prefix"
-		check_rfwd $_proto $_plain_rfwd "$_prefix"
-		# PermitOpen via sshd_config that doesn't match
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ;
-		  echo "PermitOpen $_badfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
-		check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
-		# PermitOpen via sshd_config that does match
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ;
-		  echo "PermitOpen $_badfwd $_goodfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		# NB. permitopen via authorized_keys should have same
-		# success/fail as via sshd_config
-		# permitopen via authorized_keys that doesn't match
-		sed "s/^/permitopen=\"$_badfwd\" /" \
-		    < ${OBJ}/authorized_keys_${USER}.bak \
-		    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
-		check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
-		# permitopen via authorized_keys that does match
-		sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
-		    < ${OBJ}/authorized_keys_${USER}.bak \
-		    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
-		check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
-	done
+	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
+	_prefix="AllowTcpForwarding=$_tcpfwd"
+	# No PermitOpen
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix"
+	check_rfwd $_plain_rfwd "$_prefix"
+	# PermitOpen via sshd_config that doesn't match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitOpen $_badfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
+	# PermitOpen via sshd_config that does match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitOpen $_badfwd $_goodfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	# NB. permitopen via authorized_keys should have same
+	# success/fail as via sshd_config
+	# permitopen via authorized_keys that doesn't match
+	sed "s/^/permitopen=\"$_badfwd\" /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
+	# permitopen via authorized_keys that does match
+	sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_permit_lfwd "$_prefix, permitopen"
+	check_rfwd $_permit_rfwd "$_prefix, permitopen"
 }
 
 #                      no-permitopen mismatch-permitopen match-permitopen
diff --git a/regress/usr.bin/ssh/forwarding.sh b/regress/usr.bin/ssh/forwarding.sh
index dd526eeeaa5..d126b6b88d2 100644
--- a/regress/usr.bin/ssh/forwarding.sh
+++ b/regress/usr.bin/ssh/forwarding.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $
+#	$OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="local and remote forwarding"
@@ -20,30 +20,24 @@ for j in 0 1 2; do
 		last=$a
 	done
 done
-for p in ${SSH_PROTOCOLS}; do
-	q=`expr 3 - $p`
-	if ! ssh_version $q; then
-		q=$p
-	fi
-	trace "start forwarding, fork to background"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
 
-	trace "transfer over forwarded channels and check result"
-	${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
-		somehost cat ${DATA} > ${COPY}
-	test -s ${COPY}		|| fail "failed copy of ${DATA}"
-	cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
+trace "start forwarding, fork to background"
+rm -f $CTL
+${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10
 
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
+trace "transfer over forwarded channels and check result"
+${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
+	somehost cat ${DATA} > ${COPY}
+test -s ${COPY}		|| fail "failed copy of ${DATA}"
+cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
 
-for p in ${SSH_PROTOCOLS}; do
 for d in L R; do
-	trace "exit on -$d forward failure, proto $p"
+	trace "exit on -$d forward failure"
 
 	# this one should succeed
-	${SSH} -$p -F $OBJ/ssh_config \
+	${SSH}  -F $OBJ/ssh_config \
 	    -$d ${base}01:127.0.0.1:$PORT \
 	    -$d ${base}02:127.0.0.1:$PORT \
 	    -$d ${base}03:127.0.0.1:$PORT \
@@ -53,7 +47,7 @@ for d in L R; do
 		fatal "connection failed, should not"
 	else
 		# this one should fail
-		${SSH} -q -$p -F $OBJ/ssh_config \
+		${SSH} -q -F $OBJ/ssh_config \
 		    -$d ${base}01:127.0.0.1:$PORT \
 		    -$d ${base}02:127.0.0.1:$PORT \
 		    -$d ${base}03:127.0.0.1:$PORT \
@@ -66,82 +60,74 @@ for d in L R; do
 		fi
 	fi
 done
-done
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "simple clear forwarding proto $p"
-	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
-
-	trace "clear local forward proto $p"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-	    -oClearAllForwardings=yes somehost sleep 10
-	if [ $? != 0 ]; then
-		fail "connection failed with cleared local forwarding"
-	else
-		# this one should fail
-		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
-		     >>$TEST_REGRESS_LOGFILE 2>&1 && \
-			fail "local forwarding not cleared"
-	fi
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-	
-	trace "clear remote forward proto $p"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-	    -oClearAllForwardings=yes somehost sleep 10
-	if [ $? != 0 ]; then
-		fail "connection failed with cleared remote forwarding"
-	else
-		# this one should fail
-		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
-		     >>$TEST_REGRESS_LOGFILE 2>&1 && \
-			fail "remote forwarding not cleared"
-	fi
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
-
-for p in 2; do
-	trace "stdio forwarding proto $p"
-	cmd="${SSH} -$p -F $OBJ/ssh_config"
-	$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
-		somehost true
-	if [ $? != 0 ]; then
-		fail "stdio forwarding proto $p"
-	fi
-done
+trace "simple clear forwarding"
+${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
+
+trace "clear local forward"
+rm -f $CTL
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
+    -oClearAllForwardings=yes somehost sleep 10
+if [ $? != 0 ]; then
+	fail "connection failed with cleared local forwarding"
+else
+	# this one should fail
+	${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
+	     >>$TEST_REGRESS_LOGFILE 2>&1 && \
+		fail "local forwarding not cleared"
+fi
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "clear remote forward"
+rm -f $CTL
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
+    -oClearAllForwardings=yes somehost sleep 10
+if [ $? != 0 ]; then
+	fail "connection failed with cleared remote forwarding"
+else
+	# this one should fail
+	${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
+	     >>$TEST_REGRESS_LOGFILE 2>&1 && \
+		fail "remote forwarding not cleared"
+fi
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "stdio forwarding"
+cmd="${SSH} -F $OBJ/ssh_config"
+$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true
+if [ $? != 0 ]; then
+	fail "stdio forwarding"
+fi
 
 echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
 echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
-for p in ${SSH_PROTOCOLS}; do
-	trace "config file: start forwarding, fork to background"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10
-
-	trace "config file: transfer over forwarded channels and check result"
-	${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
-		somehost cat ${DATA} > ${COPY}
-	test -s ${COPY}		|| fail "failed copy of ${DATA}"
-	cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
-
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
 
-for p in 2; do
-	trace "transfer over chained unix domain socket forwards and check result"
-	rm -f $OBJ/unix-[123].fwd
-	rm -f $CTL $CTL.[123]
-	${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
-	${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
-	${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
-	${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
-	${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
-		somehost cat ${DATA} > ${COPY}
-	test -s ${COPY}			|| fail "failed copy ${DATA}"
-	cmp ${DATA} ${COPY}		|| fail "corrupted copy of ${DATA}"
-
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-	${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
-	${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
-	${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
-done
+trace "config file: start forwarding, fork to background"
+rm -f $CTL
+${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10
+
+trace "config file: transfer over forwarded channels and check result"
+${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
+	somehost cat ${DATA} > ${COPY}
+test -s ${COPY}		|| fail "failed copy of ${DATA}"
+cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "transfer over chained unix domain socket forwards and check result"
+rm -f $OBJ/unix-[123].fwd
+rm -f $CTL $CTL.[123]
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
+${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
+${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
+${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
+${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
+	somehost cat ${DATA} > ${COPY}
+test -s ${COPY}			|| fail "failed copy ${DATA}"
+cmp ${DATA} ${COPY}		|| fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
+
diff --git a/regress/usr.bin/ssh/host-expand.sh b/regress/usr.bin/ssh/host-expand.sh
index 2a95bfe1b37..9444f7fb619 100644
--- a/regress/usr.bin/ssh/host-expand.sh
+++ b/regress/usr.bin/ssh/host-expand.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="expand %h and %n"
@@ -11,9 +11,6 @@ somehost
 127.0.0.1
 EOE
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "test $tid: proto $p"
-	${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
-	diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
-done
+${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual
+diff $OBJ/expect $OBJ/actual || fail "$tid"
 
diff --git a/regress/usr.bin/ssh/hostkey-agent.sh b/regress/usr.bin/ssh/hostkey-agent.sh
index 094700da62f..811b6b9ab25 100644
--- a/regress/usr.bin/ssh/hostkey-agent.sh
+++ b/regress/usr.bin/ssh/hostkey-agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $
+#	$OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="hostkey agent"
@@ -40,7 +40,7 @@ for ps in no yes; do
 		cp $OBJ/known_hosts.orig $OBJ/known_hosts
 		SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
 		if [ $? -ne 0 ]; then
-			fail "protocol $p privsep=$ps failed"
+			fail "privsep=$ps failed"
 		fi
 		if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
 			fail "bad SSH_CONNECTION key type $k privsep=$ps"
diff --git a/regress/usr.bin/ssh/integrity.sh b/regress/usr.bin/ssh/integrity.sh
index 12e91e9d88d..062a8cfd6bf 100644
--- a/regress/usr.bin/ssh/integrity.sh
+++ b/regress/usr.bin/ssh/integrity.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: integrity.sh,v 1.22 2017/04/28 04:16:27 dtucker Exp $
+#	$OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="integrity"
@@ -41,7 +41,7 @@ for m in $macs; do
 			macopt="-m $m -c aes128-ctr"
 		fi
 		verbose "test $tid: $m @$off"
-		${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+		${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \
 		    -oServerAliveInterval=1 -oServerAliveCountMax=30 \
 		    999.999.999.999 'printf "%4096s" " "' >/dev/null
 		if [ $? -eq 0 ]; then
diff --git a/regress/usr.bin/ssh/key-options.sh b/regress/usr.bin/ssh/key-options.sh
index 7a68ad358b7..2adee683347 100644
--- a/regress/usr.bin/ssh/key-options.sh
+++ b/regress/usr.bin/ssh/key-options.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="key options"
@@ -8,64 +8,56 @@ authkeys="$OBJ/authorized_keys_${USER}"
 cp $authkeys $origkeys
 
 # Test command= forced command
-for p in ${SSH_PROTOCOLS}; do
-    for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
+for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
 	sed "s/.*/$c &/" $origkeys >$authkeys
-	verbose "key option proto $p $c"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
+	verbose "key option $c"
+	r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
 	if [ "$r" = "foo" ]; then
 		fail "key option forced command not restricted"
 	fi
 	if [ "$r" != "bar" ]; then
 		fail "key option forced command not executed"
 	fi
-    done
 done
 
 # Test no-pty
 sed 's/.*/no-pty &/' $origkeys >$authkeys
-for p in ${SSH_PROTOCOLS}; do
-	verbose "key option proto $p no-pty"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
-	if [ -f "$r" ]; then
-		fail "key option failed proto $p no-pty (pty $r)"
-	fi
-done
+verbose "key option proto no-pty"
+r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty`
+if [ -f "$r" ]; then
+	fail "key option failed no-pty (pty $r)"
+fi
 
 # Test environment=
 echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
 sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
-for p in ${SSH_PROTOCOLS}; do
-	verbose "key option proto $p environment"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
-	if [ "$r" != "bar" ]; then
-		fail "key option environment not set"
-	fi
-done
+verbose "key option environment"
+r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
+if [ "$r" != "bar" ]; then
+	fail "key option environment not set"
+fi
 
 # Test from= restriction
 start_sshd
-for p in ${SSH_PROTOCOLS}; do
-    for f in 127.0.0.1 '127.0.0.0\/8'; do
+for f in 127.0.0.1 '127.0.0.0\/8'; do
 	cat  $origkeys >$authkeys
-	${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
+	${SSH} -q -F $OBJ/ssh_proxy somehost true
 	if [ $? -ne 0 ]; then
-		fail "key option proto $p failed without restriction"
+		fail "key option failed without restriction"
 	fi
 
 	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
 	from=`head -1 $authkeys | cut -f1 -d ' '`
-	verbose "key option proto $p $from"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
+	verbose "key option $from"
+	r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
 	if [ "$r" = "true" ]; then
-		fail "key option proto $p $from not restricted"
+		fail "key option $from not restricted"
 	fi
 
-	r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
+	r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
 	if [ "$r" != "true" ]; then
-		fail "key option proto $p $from not allowed but should be"
+		fail "key option $from not allowed but should be"
 	fi
-    done
 done
 
 rm -f "$origkeys"
diff --git a/regress/usr.bin/ssh/keygen-change.sh b/regress/usr.bin/ssh/keygen-change.sh
index e56185050dd..8b8acd52fb9 100644
--- a/regress/usr.bin/ssh/keygen-change.sh
+++ b/regress/usr.bin/ssh/keygen-change.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="change passphrase for key"
@@ -7,9 +7,6 @@ S1="secret1"
 S2="2secret"
 
 KEYTYPES=`${SSH} -Q key-plain`
-if ssh_version 1; then
-	KEYTYPES="${KEYTYPES} rsa1"
-fi
 
 for t in $KEYTYPES; do
 	# generate user key for agent
diff --git a/regress/usr.bin/ssh/keyscan.sh b/regress/usr.bin/ssh/keyscan.sh
index f97364b76e7..3bde1219a60 100644
--- a/regress/usr.bin/ssh/keyscan.sh
+++ b/regress/usr.bin/ssh/keyscan.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $
+#	$OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="keyscan"
@@ -9,10 +9,6 @@ rm -f ${OBJ}/host.dsa
 start_sshd
 
 KEYTYPES=`${SSH} -Q key-plain`
-if ssh_version 1; then
-	KEYTYPES="${KEYTYPES} rsa1"
-fi
-
 for t in $KEYTYPES; do
 	trace "keyscan type $t"
 	${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
diff --git a/regress/usr.bin/ssh/localcommand.sh b/regress/usr.bin/ssh/localcommand.sh
index 220f19a4d48..5224a16b24d 100644
--- a/regress/usr.bin/ssh/localcommand.sh
+++ b/regress/usr.bin/ssh/localcommand.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="localcommand"
@@ -6,10 +6,8 @@ tid="localcommand"
 echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
 echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "test $tid: proto $p localcommand"
-	a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true`
-	if [ "$a" != "foo" ] ; then
-		fail "$tid proto $p"
-	fi
-done
+verbose "test $tid: proto $p localcommand"
+a=`${SSH} -F $OBJ/ssh_proxy somehost true`
+if [ "$a" != "foo" ] ; then
+	fail "$tid proto $p"
+fi
diff --git a/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c b/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c
index 4c1f5644db5..daf60306f6a 100644
--- a/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c
+++ b/regress/usr.bin/ssh/misc/kexfuzz/kexfuzz.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */
+/* 	$OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */
 /*
  * Fuzz harness for KEX code
  *
@@ -412,7 +412,7 @@ main(int argc, char **argv)
 	close(fd);
 	/* XXX check that it is a private key */
 	/* XXX support certificates */
-	if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1)
+	if (key == NULL || key->type == KEY_UNSPEC)
 		badusage("Invalid key file (-k flag)");
 
 	/* Replace (fuzz) mode */
diff --git a/regress/usr.bin/ssh/multiplex.sh b/regress/usr.bin/ssh/multiplex.sh
index f32a25f7131..2bddee7f5c1 100644
--- a/regress/usr.bin/ssh/multiplex.sh
+++ b/regress/usr.bin/ssh/multiplex.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $
+#	$OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 CTL=$OBJ/ctl-sock
@@ -94,7 +94,7 @@ for s in 0 1 4 5 44; do
 	${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
 	r=$?
 	if [ $r -ne $s ]; then
-		fail "exit code mismatch for protocol $p: $r != $s"
+		fail "exit code mismatch: $r != $s"
 	fi
 
 	# same with early close of stdout/err
@@ -103,7 +103,7 @@ for s in 0 1 4 5 44; do
                 exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
 	r=$?
 	if [ $r -ne $s ]; then
-		fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
+		fail "exit code (with sleep) mismatch: $r != $s"
 	fi
 done
 
diff --git a/regress/usr.bin/ssh/principals-command.sh b/regress/usr.bin/ssh/principals-command.sh
index 37d23ab3331..280d2c89ed3 100644
--- a/regress/usr.bin/ssh/principals-command.sh
+++ b/regress/usr.bin/ssh/principals-command.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $
+#	$OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="authorized principals command"
@@ -68,7 +68,7 @@ for privsep in yes no ; do
 	# Empty authorized_principals
 	verbose "$tid: ${_prefix} empty authorized_principals"
 	echo > $OBJ/authorized_principals_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect succeeded unexpectedly"
@@ -77,7 +77,7 @@ for privsep in yes no ; do
 	# Wrong authorized_principals
 	verbose "$tid: ${_prefix} wrong authorized_principals"
 	echo gregorsamsa > $OBJ/authorized_principals_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect succeeded unexpectedly"
@@ -86,7 +86,7 @@ for privsep in yes no ; do
 	# Correct authorized_principals
 	verbose "$tid: ${_prefix} correct authorized_principals"
 	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -ne 0 ]; then
 		fail "ssh cert connect failed"
@@ -95,7 +95,7 @@ for privsep in yes no ; do
 	# authorized_principals with bad key option
 	verbose "$tid: ${_prefix} authorized_principals bad key opt"
 	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect succeeded unexpectedly"
@@ -105,7 +105,7 @@ for privsep in yes no ; do
 	verbose "$tid: ${_prefix} authorized_principals command=false"
 	echo 'command="false" mekmitasdigoat' > \
 	    $OBJ/authorized_principals_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect succeeded unexpectedly"
@@ -116,7 +116,7 @@ for privsep in yes no ; do
 	verbose "$tid: ${_prefix} authorized_principals command=true"
 	echo 'command="true" mekmitasdigoat' > \
 	    $OBJ/authorized_principals_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
 	if [ $? -ne 0 ]; then
 		fail "ssh cert connect failed"
@@ -135,7 +135,7 @@ for privsep in yes no ; do
 		printf 'cert-authority,principals="gregorsamsa" '
 		cat $OBJ/user_ca_key.pub
 	) > $OBJ/authorized_keys_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect succeeded unexpectedly"
@@ -147,7 +147,7 @@ for privsep in yes no ; do
 		printf 'cert-authority,principals="mekmitasdigoat" '
 		cat $OBJ/user_ca_key.pub
 	) > $OBJ/authorized_keys_$USER
-	${SSH} -2i $OBJ/cert_user_key \
+	${SSH} -i $OBJ/cert_user_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -ne 0 ]; then
 		fail "ssh cert connect failed"
diff --git a/regress/usr.bin/ssh/proto-mismatch.sh b/regress/usr.bin/ssh/proto-mismatch.sh
index 9e8024beb0f..6ab28c9a7ad 100644
--- a/regress/usr.bin/ssh/proto-mismatch.sh
+++ b/regress/usr.bin/ssh/proto-mismatch.sh
@@ -1,21 +1,17 @@
-#	$OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="protocol version mismatch"
 
 mismatch ()
 {
-	server=$1
 	client=$2
-	banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
+	banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy`
 	r=$?
 	trace "sshd prints ${banner}"
 	if [ $r -ne 255 ]; then
-		fail "sshd prints ${banner} and accepts connect with version ${client}"
+		fail "sshd prints ${banner} but accepts version ${client}"
 	fi
 }
 
-mismatch	2	SSH-1.5-HALLO
-if ssh_version 1; then
-	mismatch	1	SSH-2.0-HALLO
-fi
+mismatch	SSH-1.5-HALLO
diff --git a/regress/usr.bin/ssh/proto-version.sh b/regress/usr.bin/ssh/proto-version.sh
index cf494611548..5faeb758cfa 100644
--- a/regress/usr.bin/ssh/proto-version.sh
+++ b/regress/usr.bin/ssh/proto-version.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: proto-version.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd version with different protocol combinations"
@@ -6,9 +6,8 @@ tid="sshd version with different protocol combinations"
 # we just start sshd in inetd mode and check the banner
 check_version ()
 {
-	version=$1
 	expect=$2
-	banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+	banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy`
 	case ${banner} in
 	SSH-1.99-*)
 		proto=199
@@ -24,13 +23,8 @@ check_version ()
 		;;
 	esac
 	if [ ${expect} -ne ${proto} ]; then
-		fail "wrong protocol version ${banner} for ${version}"
+		fail "wrong protocol version ${banner}"
 	fi
 }
 
-check_version	2	20
-if ssh_version 1; then
-	check_version	2,1	199
-	check_version	1,2	199
-	check_version	1	15
-fi
+check_version	20
diff --git a/regress/usr.bin/ssh/proxy-connect.sh b/regress/usr.bin/ssh/proxy-connect.sh
index b7a43fabe78..f1b9d9f76bd 100644
--- a/regress/usr.bin/ssh/proxy-connect.sh
+++ b/regress/usr.bin/ssh/proxy-connect.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $
+#	$OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="proxy connect"
@@ -6,27 +6,22 @@ tid="proxy connect"
 mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
 
 for ps in no yes; do
-  cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
-  echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
-
-  for p in ${SSH_PROTOCOLS}; do
-    for c in no yes; do
-	verbose "plain username protocol $p privsep=$ps comp=$c"
-	opts="-$p -oCompression=$c -F $OBJ/ssh_proxy"
-	SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
-	if [ $? -ne 0 ]; then
-		fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed"
-	fi
-	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-		fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \
-		    "$SSH_CONNECTION"
-	fi
-    done
-  done
+	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+	echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+	for c in no yes; do
+		verbose "plain username privsep=$ps comp=$c"
+		opts="-oCompression=$c -F $OBJ/ssh_proxy"
+		SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
+		if [ $? -ne 0 ]; then
+			fail "ssh proxyconnect privsep=$ps comp=$c failed"
+		fi
+		if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
+			fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \
+			    "$SSH_CONNECTION"
+		fi
+	done
 done
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "username with style protocol $p"
-	${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
-		fail "ssh proxyconnect protocol $p failed"
-done
+verbose "username with style"
+${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
+	fail "ssh proxyconnect failed"
diff --git a/regress/usr.bin/ssh/putty-transfer.sh b/regress/usr.bin/ssh/putty-transfer.sh
index 23881d3a37e..308580fbc94 100644
--- a/regress/usr.bin/ssh/putty-transfer.sh
+++ b/regress/usr.bin/ssh/putty-transfer.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $
+#	$OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="putty transfer data"
@@ -7,33 +7,30 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
 	fatal "putty interop tests not enabled"
 fi
 
-# XXX support protocol 1 too
-for p in 2; do
-	for c in 0 1 ; do 
-	verbose "$tid: proto $p compression $c"
+for c in 0 1 ; do 
+	verbose "$tid: compression $c"
+	rm -f ${COPY}
+	cp ${OBJ}/.putty/sessions/localhost_proxy \
+	    ${OBJ}/.putty/sessions/compression_$c
+	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
+	env HOME=$PWD ${PLINK} -load compression_$c -batch \
+	    -i putty.rsa cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+
+	for s in 10 100 1k 32k 64k 128k 256k; do
+		trace "compression $c dd-size ${s}"
 		rm -f ${COPY}
-		cp ${OBJ}/.putty/sessions/localhost_proxy \
-		    ${OBJ}/.putty/sessions/compression_$c
-		echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
-		env HOME=$PWD ${PLINK} -load compression_$c -batch \
-		    -i putty.rsa$p cat ${DATA} > ${COPY}
+		dd if=$DATA obs=${s} 2> /dev/null | \
+			env HOME=$PWD ${PLINK} -load compression_$c \
+			    -batch -i putty.rsa \
+			    "cat > ${COPY}"
 		if [ $? -ne 0 ]; then
 			fail "ssh cat $DATA failed"
 		fi
-		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-	
-		for s in 10 100 1k 32k 64k 128k 256k; do
-			trace "proto $p compression $c dd-size ${s}"
-			rm -f ${COPY}
-			dd if=$DATA obs=${s} 2> /dev/null | \
-				env HOME=$PWD ${PLINK} -load compression_$c \
-				    -batch -i putty.rsa$p \
-				    "cat > ${COPY}"
-			if [ $? -ne 0 ]; then
-				fail "ssh cat $DATA failed"
-			fi
-			cmp $DATA ${COPY}	|| fail "corrupted copy"
-		done
+		cmp $DATA ${COPY}	|| fail "corrupted copy"
 	done
 done
 rm -f ${COPY}
diff --git a/regress/usr.bin/ssh/reconfigure.sh b/regress/usr.bin/ssh/reconfigure.sh
index 77956e6e0b9..b954d93b3d5 100644
--- a/regress/usr.bin/ssh/reconfigure.sh
+++ b/regress/usr.bin/ssh/reconfigure.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="simple connect after reconfigure"
@@ -7,12 +7,10 @@ tid="simple connect after reconfigure"
 start_sshd
 
 trace "connect before restart"
-for p in ${SSH_PROTOCOLS} ; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed before reconfigure"
-	fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with failed before reconfigure"
+fi
 
 $SUDO kill -HUP `cat $PIDFILE`
 sleep 1
@@ -27,9 +25,7 @@ done
 test -f $PIDFILE || fatal "sshd did not restart"
 
 trace "connect after restart"
-for p in ${SSH_PROTOCOLS} ; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed after reconfigure"
-	fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with failed after reconfigure"
+fi
diff --git a/regress/usr.bin/ssh/reexec.sh b/regress/usr.bin/ssh/reexec.sh
index dcb02bc0ee9..7fbe24c9add 100644
--- a/regress/usr.bin/ssh/reexec.sh
+++ b/regress/usr.bin/ssh/reexec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $
+#	$OpenBSD: reexec.sh,v 1.11 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="reexec tests"
@@ -19,16 +19,13 @@ start_sshd_copy ()
 copy_tests ()
 {
 	rm -f ${COPY}
-	for p in ${SSH_PROTOCOLS} ; do
-		verbose "$tid: proto $p"
-		${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \
-		    cat ${DATA} > ${COPY}
-		if [ $? -ne 0 ]; then
-			fail "ssh cat $DATA failed"
-		fi
-		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-		rm -f ${COPY}
-	done
+	${SSH} -nq -F $OBJ/ssh_config somehost \
+	    cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+	rm -f ${COPY}
 }
 
 verbose "test config passing"
@@ -64,4 +61,3 @@ copy_tests
 
 stop_sshd
 
-
diff --git a/regress/usr.bin/ssh/stderr-after-eof.sh b/regress/usr.bin/ssh/stderr-after-eof.sh
index 218ac6b68e1..9065245e84f 100644
--- a/regress/usr.bin/ssh/stderr-after-eof.sh
+++ b/regress/usr.bin/ssh/stderr-after-eof.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
+#	$OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="stderr data after eof"
@@ -10,7 +10,7 @@ for i in 1 2 3 4 5 6; do
 	(date;echo $i) | md5 >> ${DATA}
 done
 
-${SSH} -2 -F $OBJ/ssh_proxy otherhost \
+${SSH} -F $OBJ/ssh_proxy otherhost \
 	exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
 	2> ${COPY}
 r=$?
diff --git a/regress/usr.bin/ssh/stderr-data.sh b/regress/usr.bin/ssh/stderr-data.sh
index 8c8149a732b..0ceb72b3a29 100644
--- a/regress/usr.bin/ssh/stderr-data.sh
+++ b/regress/usr.bin/ssh/stderr-data.sh
@@ -1,13 +1,12 @@
-#	$OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="stderr data transfer"
 
 for n in '' -n; do
-for p in ${SSH_PROTOCOLS}; do
-	verbose "test $tid: proto $p ($n)"
-	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
-		exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+	verbose "test $tid: ($n)"
+	${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
+	    sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
 		2> ${COPY}
 	r=$?
 	if [ $r -ne 0 ]; then
@@ -16,8 +15,8 @@ for p in ${SSH_PROTOCOLS}; do
 	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
 	rm -f ${COPY}
 
-	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
-		exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+	${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
+	    sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
 		> /dev/null 2> ${COPY}
 	r=$?
 	if [ $r -ne 0 ]; then
@@ -26,4 +25,3 @@ for p in ${SSH_PROTOCOLS}; do
 	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
 	rm -f ${COPY}
 done
-done
diff --git a/regress/usr.bin/ssh/test-exec.sh b/regress/usr.bin/ssh/test-exec.sh
index 6c9e3e6d527..66e536bef54 100644
--- a/regress/usr.bin/ssh/test-exec.sh
+++ b/regress/usr.bin/ssh/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $
+#	$OpenBSD: test-exec.sh,v 1.60 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 USER=`id -un`
@@ -91,12 +91,6 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
 	CONCH="${TEST_SSH_CONCH}"
 fi
 
-SSH_PROTOCOLS=2
-#SSH_PROTOCOLS=`$SSH -Q protocol-version`
-if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then
-	SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}"
-fi
-
 # Path to sshd must be absolute for rexec
 case "$SSHD" in
 /*) ;;
@@ -246,22 +240,11 @@ fatal ()
 	exit $RESULT
 }
 
-ssh_version ()
-{
-	echo ${SSH_PROTOCOLS} | grep -q "$1"
-}
-
 RESULT=0
 PIDFILE=$OBJ/pidfile
 
 trap fatal 3 2
 
-if ssh_version 1; then
-	PROTO="2,1"
-else
-	PROTO="2"
-fi
-
 # create server config
 cat << EOF > $OBJ/sshd_config
 	Port			$PORT
@@ -319,11 +302,8 @@ fi
 
 rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
 
-if ssh_version 1; then
-	SSH_KEYTYPES="rsa rsa1"
-else
-	SSH_KEYTYPES="rsa ed25519"
-fi
+SSH_KEYTYPES="rsa ed25519"
+
 trace "generate keys"
 for t in ${SSH_KEYTYPES}; do
 	# generate user key
diff --git a/regress/usr.bin/ssh/transfer.sh b/regress/usr.bin/ssh/transfer.sh
index 36c14634ab9..cf174a00678 100644
--- a/regress/usr.bin/ssh/transfer.sh
+++ b/regress/usr.bin/ssh/transfer.sh
@@ -1,26 +1,23 @@
-#	$OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="transfer data"
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "$tid: proto $p"
+rm -f ${COPY}
+${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+if [ $? -ne 0 ]; then
+	fail "ssh cat $DATA failed"
+fi
+cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+
+for s in 10 100 1k 32k 64k 128k 256k; do
+	trace "dd-size ${s}"
 	rm -f ${COPY}
-	${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+	dd if=$DATA obs=${s} 2> /dev/null | \
+		${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
 	if [ $? -ne 0 ]; then
 		fail "ssh cat $DATA failed"
 	fi
-	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-
-	for s in 10 100 1k 32k 64k 128k 256k; do
-		trace "proto $p dd-size ${s}"
-		rm -f ${COPY}
-		dd if=$DATA obs=${s} 2> /dev/null | \
-			${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
-		if [ $? -ne 0 ]; then
-			fail "ssh cat $DATA failed"
-		fi
-		cmp $DATA ${COPY}		|| fail "corrupted copy"
-	done
+	cmp $DATA ${COPY}		|| fail "corrupted copy"
 done
 rm -f ${COPY}
diff --git a/regress/usr.bin/ssh/try-ciphers.sh b/regress/usr.bin/ssh/try-ciphers.sh
index 889a735d27d..e04268ba35b 100644
--- a/regress/usr.bin/ssh/try-ciphers.sh
+++ b/regress/usr.bin/ssh/try-ciphers.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $
+#	$OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="try ciphers"
@@ -8,14 +8,14 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 for c in `${SSH} -Q cipher`; do
 	n=0
 	for m in `${SSH} -Q mac`; do
-		trace "proto 2 cipher $c mac $m"
-		verbose "test $tid: proto 2 cipher $c mac $m"
+		trace "cipher $c mac $m"
+		verbose "test $tid: cipher $c mac $m"
 		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 		echo "Ciphers=$c" >> $OBJ/sshd_proxy
 		echo "MACs=$m" >> $OBJ/sshd_proxy
-		${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+		${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true
 		if [ $? -ne 0 ]; then
-			fail "ssh -2 failed with mac $m cipher $c"
+			fail "ssh failed with mac $m cipher $c"
 		fi
 		# No point trying all MACs for AEAD ciphers since they
 		# are ignored.
@@ -26,17 +26,3 @@ for c in `${SSH} -Q cipher`; do
 	done
 done
 
-if ssh_version 1; then
-	ciphers="3des blowfish"
-else
-	ciphers=""
-fi
-for c in $ciphers; do
-	trace "proto 1 cipher $c"
-	verbose "test $tid: proto 1 cipher $c"
-	${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh -1 failed with cipher $c"
-	fi
-done
-
diff --git a/regress/usr.bin/ssh/yes-head.sh b/regress/usr.bin/ssh/yes-head.sh
index 527e6fd3020..e0515e3cf0f 100644
--- a/regress/usr.bin/ssh/yes-head.sh
+++ b/regress/usr.bin/ssh/yes-head.sh
@@ -1,15 +1,13 @@
-#	$OpenBSD: yes-head.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: yes-head.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="yes pipe head"
 
-for p in ${SSH_PROTOCOLS}; do
-	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)`
-	if [ $? -ne 0 ]; then
-		fail "yes|head test failed"
-		lines = 0;
-	fi
-	if [ $lines -ne 2000 ]; then
-		fail "yes|head returns $lines lines instead of 2000"
-	fi
-done
+lines=`${SSH} -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)`
+if [ $? -ne 0 ]; then
+	fail "yes|head test failed"
+	lines = 0;
+fi
+if [ $lines -ne 2000 ]; then
+	fail "yes|head returns $lines lines instead of 2000"
+fi
author	djm <djm@openbsd.org>	2017-04-30 23:34:55 +0000
committer	djm <djm@openbsd.org>	2017-04-30 23:34:55 +0000
commit	773d7cab3491aecbc30a1aeed07f6302b0fc24d2 (patch)
tree	03287e768dd34aec8243b0c91a2466961879920f
parent	remove SSHv1 support from unit tests (diff)
download	wireguard-openbsd-773d7cab3491aecbc30a1aeed07f6302b0fc24d2.tar.xz wireguard-openbsd-773d7cab3491aecbc30a1aeed07f6302b0fc24d2.zip