[CLUE-Tech] sshd question
David Anselmi
anselmi at americanisp.net
Mon Aug 11 16:38:27 MDT 2003
David Guntner wrote:
[...]
> I'm sure another Google search, this time for ssh protocol 1, would provide
> that information for him better than I could. :-) Short version: Protocol
> 1 has had numerous security problems in the past and has been broken a
> number of times.
[...]
> I've seen any number of security discussions which end up
> mentioning that protocol 1 should be avoided at all costs.
My point was that this sort of fuzzy thinking doesn't belong on this
list. Some people on here are not security experts and will take what
you say as gospel. If what you say isn't accurate it does no one any good.
There have been some exploits for SSH that applied specifically to the
V1 protocol. As Kevin F. said, they've been patched in current
versions. That is a non-issue.
There is also a flaw in the protocol itself that allows the session keys
to be recovered resulting in either the recorded session being decrypted
and read, or possibly a live session could be altered. But this page:
http://linux.oreillynet.com/pub/a/linux/2001/02/13/insecurities.html
says that OpenSSH can't be exploited.
Whether or not version 1 is secure enough depends on a great many
things. You can't say (even if you've heard it said everywhere) "avoid
it at all costs".[1]
Guess what? Even the V2 protocol has vulnerabilities to keystroke
timing attacks (though the OpenSSH folks have done what they could to
mitigate those). What would you say if I told you to avoid SSH at all
costs? You'd say "Well, I don't have anything better," and you'd be
right. But there are some people who do need something better. They
pay for it, they get it. And they don't tell home users not to use SSH.
Sorry for the rant. I know you're suggestion was made with good
intentions and it is good advice to use protocol 2 where there's no
reason not to.
Dave
More information about the clue-tech
mailing list