[CLUE-Tech] sshd question
Kevin Fenzi
kevin at scrye.com
Mon Aug 11 13:17:29 MDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "David" == David Guntner <davidg at akamail.com> writes:
David> David Anselmi grabbed a keyboard and wrote:
>>
>> David Guntner wrote:
>> >
>> > [...] > Trust me, you *don't* want to support Protocol 1. At
>> all.
>>
>> Strong words without a complete risk analysis. Can you explain
>> what an attacker would have to do to exploit the version 1
>> protocol, so Kevin can make an informed decision about using it?
David> I'm sure another Google search, this time for ssh protocol 1,
David> would provide that information for him better than I could. :-)
David> Short version: Protocol 1 has had numerous security problems in
David> the past and has been broken a number of times.
Yeah, althought it's worth noting that if you have a up to date
openssh version they have fixes for all the v1 exploits that were
circulating.
Using v2 is still a good idea however.
>> Of course there isn't anything in Kevin's log to suggest that he is
>> using version 1.
David> I didn't say there was. But the default configuration has
David> "Protocol 2,1" in it, meaning that it prefers protocol 2 but
David> will fall back to protocol 1 if that's what's offered. By
David> removing ",1" it will no longer support that protocol on a
David> connecting client, which then denies an attacker one avenue of
David> attack. I've seen any number of security discussions which end
David> up mentioning that protocol 1 should be avoided at all costs.
I wouldn't say that... I think it's a good idea to use v2, but v1
isn't a instant compromised machine.
If you can restrict what IP's you allow ssh in from, that would be
another good thing to do (via firewall or whatnot).
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQE/N+vM3imCezTjY0ERAoGcAJ4x1gFdfYOPygSLSHIkMMUpmwEFUACggc11
YQg0TtAsm2cljYWzbCIltt4=
=pwLa
-----END PGP SIGNATURE-----
More information about the clue-tech
mailing list