On Tue, 19 Feb 2002, Kevin Steves wrote: > :If you're using SSH, you should make every attempt to restrict the daemon > :to accepting version 2 of the protocol *only*. > > why?
v2 is a good protocol. > > :The v1 fallback stuff will > > what v1 fallback stuff? Most sshd programs (including OpenSSH) will negotiate a lower version by default if the client wants it. > > :allow an attacker to use the horribly broken 1.5 stuff. > > what is horribly broken? > > there is a lot of FUD going around about SSH protocol 1. see > http://www.openssh.com/security.html for security information on SSH and > OpenSSH. Right, you'll want to pay attention to the line (on the page you reference) that says "OpenSSH has the SSH 1 protocol deficiency that might make an insertion attack difficult but possible. The CORE-SDI deattack mechanism is ued to eliminate the common case. Ways of solving this problem are being investigated, since the SSH 1 protocol is not dead yet." If you don't *have* to support v1 clients, there's _no_ reason to support the v1 protocol, and given the weaknesses in implementations the argument for not supporting it is compelling. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
