On Tue, 19 Feb 2002, Paul Robertson wrote: :> :If you're using SSH, you should make every attempt to restrict the daemon :> :to accepting version 2 of the protocol *only*. :> :> why? : :v2 is a good protocol.
agreed. you are implying that v1 is bad. this is false. :> :The v1 fallback stuff will :> :> what v1 fallback stuff? : :Most sshd programs (including OpenSSH) will negotiate a lower version by :default if the client wants it. true. :> :allow an attacker to use the horribly broken 1.5 stuff. :> :> what is horribly broken? :> :> there is a lot of FUD going around about SSH protocol 1. see :> http://www.openssh.com/security.html for security information on SSH and :> OpenSSH. : :Right, you'll want to pay attention to the line (on the page you :reference) that says "OpenSSH has the SSH 1 protocol deficiency that might :make an insertion attack difficult but possible. The CORE-SDI deattack :mechanism is ued to eliminate the common case. Ways of solving this problem :are being investigated, since the SSH 1 protocol is not dead yet." i'm glad we got to the details rather than broad handwaving. protocol 1 does have weaknesses, however it is not horribly broken as you say, and its support in OpenSSH has hastened the migration to protocol 2 by permitting people to better manage large migration efforts. :If you don't *have* to support v1 clients, there's _no_ reason to support :the v1 protocol yes, agreed :) :and given the weaknesses in implementations the argument :for not supporting it is compelling. are you referring to the deattack buffer overflow? implementation vulnerabilities are addressed by keeping your software patched. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
