[CLUE-Tech] sshd question
David Guntner
davidg at akaMail.com
Mon Aug 11 12:46:37 MDT 2003
David Anselmi grabbed a keyboard and wrote:
>
> David Guntner wrote:
> >
> > [...]
> > Trust me, you *don't* want to support Protocol 1. At all.
>
> Strong words without a complete risk analysis. Can you explain what an
> attacker would have to do to exploit the version 1 protocol, so Kevin
> can make an informed decision about using it?
I'm sure another Google search, this time for ssh protocol 1, would provide
that information for him better than I could. :-) Short version: Protocol
1 has had numerous security problems in the past and has been broken a
number of times.
> Of course there isn't anything in Kevin's log to suggest that he is
> using version 1.
I didn't say there was. But the default configuration has "Protocol 2,1"
in it, meaning that it prefers protocol 2 but will fall back to protocol 1
if that's what's offered. By removing ",1" it will no longer support that
protocol on a connecting client, which then denies an attacker one avenue
of attack. I've seen any number of security discussions which end up
mentioning that protocol 1 should be avoided at all costs.
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
More information about the clue-tech
mailing list