On Wed, Jan 21, 2004 at 02:44:31PM +0200, Erno Kuusela wrote: > hello, > | It's perhaps true that the message above was added too early in > | OpenSSH's life cycle. However, in my opinion and in the opinion of other > | SSH implementors I've talked to, it's no longer sensible to recommend > | SSH 1 over SSH 2. The latter is simply a better-designed protocol, with > | support for extensions that wasn't remotely present in SSH 1, and by now > | it's been quite thoroughly audited. The relative rarity of reported SSH > | 1-only vulnerabilities is simply because it's no longer attracting much > | in the way of audit *at all* compared with SSH 2. > | > | I think we're giving the right advice. > > i cannot present any evidence about auditing, so i won't argue with this. > > another thing: enabling both protocols at once of course increases the > "area" of the potentially vulnerable protocol interface. if the user > requires the use of v1 for compatibility, there should be an option > to enable v1 only.
There is; it's just not presented by debconf. Not all of OpenSSH's configuration options are - nor should be - presented by debconf. Cheers, -- Colin Watson [EMAIL PROTECTED]
