On Mon, Jun 03, 2002 at 01:32:57PM +0200, Ralf S. Engelschall wrote: > On Mon, Jun 03, 2002, Michael Schloh von Bennewitz wrote: > > > On Fri, May 31, 2002 at 04:48:08PM +0200, Ralf S. Engelschall wrote: > > > Log: > > > - default to "Protocol 2,1" in server and "Protocol 1,2" in client > > > > > Interessant. Warum ist hier mehr attraktiv den ersten Version beim Klient? Ich > > nehme an, dass der Grund eine zweite version den SSH Protokol zu schaffen hat > > mit Sicherheitsproblemen den ersten zu tun. > > Using protocol 1 in the client isn't more attractive, it is a > work-around to make sure people to not get confused because they no > longer connect to their servers. The problem is this: server supports > SSH-1 and SSH-2, but user has only his SSH-1 key on the server (as it > is the case for most servers I know); user now connects with "Protocol > 2,1" to server; client and server recognize that SSH-2 should be > tried; client has no SSH-2 key so SSH-2 connection fails; client stop > processing because it _DOES NOT_ try again or fallback to SSH-1 (where > the key exists). The SSH-2 to SSH-1 fallback only works if one side does > not speak SSH-2 at all. But if both sides speak SSH-2 but suitable key > is missing, processing stops immediately without any fallbacks. As a > result the user gets a permission denied and only can connect with "ssh > -1 ...". So, unless all users have also SSH-2 keys (and stored on the > server) it is wise they _by default_ use "Protocol 1,2".
So far, I too have configured the openssh I distribute to have the client default to Protocol 1,2. However, one of my users pursuaded me I should reverse it now rather than later because the longer I wait the larger the impact will be as more users get on board. Better to bite the bullet now. Actually, most of my company is still on a ssh-1.2.27 variant and I plan to upgrade them to openssh soon. I think it would be better have just one time of upgrade pain, forcing people to generate a protocol 2 key or switch to protocol 1 now, rather than switching the default protocol on people in a future upgrade. - Dave Dykstra ______________________________________________________________________ The OpenPKG Project www.openpkg.org Developer Communication List [EMAIL PROTECTED]
