[CLUE-Tech] sshd question
David Guntner
davidg at akaMail.com
Mon Aug 11 14:45:37 MDT 2003
Kevin Fenzi grabbed a keyboard and wrote:
>
> >>>>> "David" == David Guntner <davidg at akamail.com> writes:
> [...]
> David> Short version: Protocol 1 has had numerous security problems in
> David> the past and has been broken a number of times.
>
> Yeah, althought it's worth noting that if you have a up to date
> openssh version they have fixes for all the v1 exploits that were
> circulating.
Until they find the next one, anyway. :-)
> Using v2 is still a good idea however.
>
> >> Of course there isn't anything in Kevin's log to suggest that he is
> >> using version 1.
>
> David> I didn't say there was. But the default configuration has
> David> "Protocol 2,1" in it, meaning that it prefers protocol 2 but
> David> will fall back to protocol 1 if that's what's offered. By
> David> removing ",1" it will no longer support that protocol on a
> David> connecting client, which then denies an attacker one avenue of
> David> attack. I've seen any number of security discussions which end
> David> up mentioning that protocol 1 should be avoided at all costs.
>
> I wouldn't say that... I think it's a good idea to use v2, but v1
> isn't a instant compromised machine.
True enough. But I figure, why tempt fate? Protocol 1 is a lot weaker
than protocol 2, and it's been cracked in the past. Protocol 2 has been
out long enough now that any ssh client worth its bits will support it.
> If you can restrict what IP's you allow ssh in from, that would be
> another good thing to do (via firewall or whatnot).
Agreed, although that's not always possible depending on what/who you're
trying to support.
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
More information about the clue-tech
mailing list