[CLUE-Tech] sshd question

[David Anselmi]

David Guntner wrote:
[...]
> I'm sure another Google search, this time for ssh protocol 1, would provide 
> that information for him better than I could. :-)  Short version:  Protocol 
> 1 has had numerous security problems in the past and has been broken a 
> number of times.
[...]
>  I've seen any number of security discussions which end up
> mentioning that protocol 1 should be avoided at all costs.

My point was that this sort of fuzzy thinking doesn't belong on this 
list.  Some people on here are not security experts and will take what 
you say as gospel.  If what you say isn't accurate it does no one any good.

There have been some exploits for SSH that applied specifically to the 
V1 protocol.  As Kevin F. said, they've been patched in current 
versions.  That is a non-issue.

There is also a flaw in the protocol itself that allows the session keys 
to be recovered resulting in either the recorded session being decrypted 
and read, or possibly a live session could be altered.  But this page:

http://linux.oreillynet.com/pub/a/linux/2001/02/13/insecurities.html

says that OpenSSH can't be exploited.

Whether or not version 1 is secure enough depends on a great many 
things.  You can't say (even if you've heard it said everywhere) "avoid 
it at all costs".[1]

Guess what?  Even the V2 protocol has vulnerabilities to keystroke 
timing attacks (though the OpenSSH folks have done what they could to 
mitigate those).  What would you say if I told you to avoid SSH at all 
costs?  You'd say "Well, I don't have anything better," and you'd be 
right.  But there are some people who do need something better.  They 
pay for it, they get it.  And they don't tell home users not to use SSH.

Sorry for the rant.  I know you're suggestion was made with good 
intentions and it is good advice to use protocol 2 where there's no 
reason not to.

Dave