On Mon, Jul 25, 2005 at 08:36:21PM -0700, Chris Carey wrote: > One thing I noticed with Redhat 9, Redhat 10 was that > the default sshd_config was set to downgrade to SSHv1 > if SSHv2 fails > > In Redhat sshd_config it says: > > Protocol 2,1 > > I ask the group - Is this still the case with current > Fedoras? Please check your config file. > > This setting allows the machine to be compromised with > MITM attack. The ssh server can be forced to use SSH1 > instead of SSH2 and then compromised using faults in > SSH1. The username/password can be seen as well as the > session. ettercap is one of the tools that can do > this. > > For better safety, the setting should be: > > Protocol 2
I just checked a freshly minted FC4 installation, and that is what both the ssh and sshd config file specify. -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
pgpXUKojEXqIP.pgp
Description: PGP signature
.===================================. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `==================================='
