From owner-freebsd-security Mon Jul 8 20:21:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B125837B400 for ; Mon, 8 Jul 2002 20:21:54 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3C1D43E09 for ; Mon, 8 Jul 2002 20:21:53 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g693JqN04391 for ; Mon, 8 Jul 2002 23:19:52 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g693Llc22631 for security@FreeBSD.ORG; Mon, 8 Jul 2002 23:21:47 -0400 Date: Mon, 8 Jul 2002 23:21:47 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLEnow has OpenSSH 3.4p1] Message-ID: <20020708232147.A22605@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20020708141630166.AAA962@empty1.ekahuna.com@pc02.ekahuna.com> <20020708152038.D84324-100000@zoot.corp.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020708152038.D84324-100000@zoot.corp.yahoo.com>; from DougB@FreeBSD.ORG on Mon, Jul 08, 2002 at 03:24:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 08, 2002 at 03:24:55PM -0700, Doug Barton wrote: > On Mon, 8 Jul 2002, Philip J. Koenig wrote: > > Also, as you pointed out, wonky mail configurations are a problem I can > fix, because I can log into the box. Not being able to log into the box is > a whole other can of worms. > OK, we buy into your reasons of release engineering for keeping v1 the default. But please, do not exaggerate. Making v2 default wouldn't make a login to a box impossible. That's a ridiculous claim. It would just ignore your authorized ssh1 key and ask you for the password. That is bad for scripts if a sysadmin is that lazy to run echo " Protocol 1,2" >>/etc/ssh/ssh_config over all machines that use those scripts. I understand your wish to keep life easy for such people. But I do not understand or approve the exaggeration in order to market your opinion better. Let me repeat: Making v2 the default in the config file (it is already the default in the binary) would break only the scripts relying on the authorized ssh1 keys, _nothing_ else. You'd certainly be able to log into your box and fix the things. You think it's better to keep v1 the default in 4.x? Fine with me. But don't make oversimplified and misleading claims, please. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message