Iain Tatch wrote:
> >>AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need >>to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, >>as SSH2 so far does not support RSA keypairs and needs DSA keys. >> > That's the impression I was under, too. In which case the current stable > release of Debian comes with an sshd which uses protocol 1 and is > therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
