[CLUE-Tech] sshd question

[Kevin Fenzi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "David" == David Guntner <davidg at akamail.com> writes:

David> David Anselmi grabbed a keyboard and wrote:
>> 
>> David Guntner wrote:
>> > 
>> > [...]  > Trust me, you *don't* want to support Protocol 1.  At
>> all.
>> 
>> Strong words without a complete risk analysis.  Can you explain
>> what an attacker would have to do to exploit the version 1
>> protocol, so Kevin can make an informed decision about using it?

David> I'm sure another Google search, this time for ssh protocol 1,
David> would provide that information for him better than I could. :-)
David> Short version: Protocol 1 has had numerous security problems in
David> the past and has been broken a number of times.

Yeah, althought it's worth noting that if you have a up to date
openssh version they have fixes for all the v1 exploits that were
circulating. 

Using v2 is still a good idea however. 

>> Of course there isn't anything in Kevin's log to suggest that he is
>> using version 1.

David> I didn't say there was.  But the default configuration has
David> "Protocol 2,1" in it, meaning that it prefers protocol 2 but
David> will fall back to protocol 1 if that's what's offered.  By
David> removing ",1" it will no longer support that protocol on a
David> connecting client, which then denies an attacker one avenue of
David> attack.  I've seen any number of security discussions which end
David> up mentioning that protocol 1 should be avoided at all costs.

I wouldn't say that... I think it's a good idea to use v2, but v1
isn't a instant compromised machine. 

If you can restrict what IP's you allow ssh in from, that would be
another good thing to do (via firewall or whatnot). 

kevin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE/N+vM3imCezTjY0ERAoGcAJ4x1gFdfYOPygSLSHIkMMUpmwEFUACggc11
YQg0TtAsm2cljYWzbCIltt4=
=pwLa
-----END PGP SIGNATURE-----