> Anne Carasik <[EMAIL PROTECTED]> wrote on 13/05/2002 (17:55) : > > Security issues? Can you be more specific? > > > > There aren't any security issues (yet) with the SSH 2.0 protocol. > > > > From what I know, there aren't any issues using mindterm for 2.0 > > either :) > > > > But the Mindterm package in Debian does not support SSH 2.0, this is the > point. It supports 1.x only.
SSH 1 has two major kinds of security vulns: 1) Bugs in the server daemon. ... These have been mostly resolved and don't really concern the client user 2) Bugs in the design of the protocol. Because ssh1 allows you to deduce how many (unencrypted) bytes of data you are sending in each packet, there are a host of things that make it easier to crack passwords. Additionally, if you use the RC4 cipher, it is trivial to crack one's password. Some interesting articles on this are: http://216.239.35.100/search?q=cache:O38kBECQ9KsC:paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf+ssh+vulnerabilities+1+byte+password+crack&hl=en http://216.239.33.100/search?q=cache:n9qPBRuFs2YC:xforce.iss.net/static/6449.php+ssh+rc4&hl=en However, I think another problem you will have is that the newer ssh2 daemons don't run in ssh1 mode (for security reasons), so you won't even be able to connect to them. -rishi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
