On Mon, Jun 03, 2002, Michael Schloh von Bennewitz wrote:
> On Fri, May 31, 2002 at 04:48:08PM +0200, Ralf S. Engelschall wrote:
> > Log:
> > - default to "Protocol 2,1" in server and "Protocol 1,2" in client
> >
> Interessant. Warum ist hier mehr attraktiv den ersten Version beim Klient? Ich
> nehme an, dass der Grund eine zweite version den SSH Protokol zu schaffen hat
> mit Sicherheitsproblemen den ersten zu tun.
Using protocol 1 in the client isn't more attractive, it is a
work-around to make sure people to not get confused because they no
longer connect to their servers. The problem is this: server supports
SSH-1 and SSH-2, but user has only his SSH-1 key on the server (as it
is the case for most servers I know); user now connects with "Protocol
2,1" to server; client and server recognize that SSH-2 should be
tried; client has no SSH-2 key so SSH-2 connection fails; client stop
processing because it _DOES NOT_ try again or fallback to SSH-1 (where
the key exists). The SSH-2 to SSH-1 fallback only works if one side does
not speak SSH-2 at all. But if both sides speak SSH-2 but suitable key
is missing, processing stops immediately without any fallbacks. As a
result the user gets a permission denied and only can connect with "ssh
-1 ...". So, unless all users have also SSH-2 keys (and stored on the
server) it is wise they _by default_ use "Protocol 1,2".
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List [EMAIL PROTECTED]
