On Mon, Sep 19, 2005 at 05:44:48PM +1200, Hadley RIch wrote: > It has it's part of an overall security system. Nothing wrong with avoiding > all the general human/bot scans.
Apparently moving port numbers away from their defaults can become awkward when administering large networks. Openssh provides both protocol 1 and 2 for host authentication before login. Protocol 1 is insecure as there is no exchange of public/private keys and ip address spoofing is possible. The protocols are configured this way in sshd_config. Protocol 2,1 This means allow "both" protocols 1 & 2 not a preferential selection of use 2 "before" 1. It is the client request that determines what protocol to use and the only way to force protocol 2 is to configure it as the only protocol provided. See 'man sshd_config' I would assume that most of the exploits are aimed at protocol 1 and since trusted clients are able to use protocol 2 it seems pointless to have sshd enable protocol 1. -- keith.
