Date: Fri, 9 Aug 2002 04:22:47 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: "Peter C. Lai" <sirmoo@cowbert.2y.net> Cc: Dag-Erling Smorgrav <des@ofug.org>, Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>, <security@FreeBSD.ORG> Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020801125134.R19455-100000@blues.jpj.net> In-Reply-To: <20020801124049.B18439@cowbert.2y.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter C. Lai wrote: > On Thu, Aug 01, 2002 at 08:38:11AM -0400, Trevor Johnson wrote: > > On 1 Aug 2002, Dag-Erling Smorgrav wrote: > > > > > Trevor Johnson <trevor@jpj.net> writes: > > > > This is the section of http://www.openbsd.org/security.html#default which > > > > I had hoped you would read: > > > > [...] > > > > > > This is the section of Webster's 7th edition dictionary which I had > > > hoped you would read: > > > > > > 1. no \(')n{o-}\ av [ME, fr. OE n{a-}, fr. ne not + > > > {a-} always; akin to ON & OHG ne not, L ne-, Gk > > > n{e-}- -- more at AYE] chiefly Scot > > > 1a: NOT > > > > Why not? Do you have a reason? > > Production level reasons. > 1. We already stated that it would be difficult for management of large installations to do this. Some large organizations have standardized on protocol version 2. Changing the default to protocol version 1 creates difficulties for them. NERSC recently (winter 2001-2002) upgraded all its machines to the most secure protocol 2 versions of SSH. [...] NERSC strongly recommends that you use protocol 2 if possible. --http://hpcf.nersc.gov/help/access/unixssh/ [...] anyone still running version 1 of the SSH protocol should be restricting access to their servers as far as possible and looking to upgrade to servers and clients that support version 2. -- http://www.ja.net/CERT/JANET-CERT/activity/reports/200112.html > 2. Stable is supposed to be stable. We've still got lots of people on 4.2,4.3,4.4, and 4.5 out there > who are living quite nicely with their setups. > We've got people who's installation is destined to sit in a corner to gather > dust and do some processing every day, week, or month while the maintainers > have either left or moved on and no one really notices it is there but would > seriously "miss" it should it be disturbed in some way. (Note that lack > of maintenance doesn't imply that the system wasn't set up or designed for this > eventuality). This means that getting rid of protocol 1 completely > really wouldn't "increase" the number of secure systems from a statistical > standpoint. I'm not asking that protocol version 1 be removed, only that it not be set as the default in the configuration files. The existence of unmaintained computers does not justify making new installations vulnerable. > 3. We aren't OpenBSD. > Our target audience is somewhat different. We wish to deliver an > enterprise level operating solution for free. > That is all we claim to do. We aren't trying to set any records (regarding > security or otherwise). > > Making other people's lives harder for the sake of some hypothetical gains > isn't good customer service or marketing. Migrate to OpenBSD if you want > that sort of thing (and post your wishes on their mailing lists instead of here). > </rant> The list charter when I joined said: FREEBSD-SECURITY Security issues FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). This is a known security hole: SSH Communications Security considers the SSH1 protocol deprecated and does not recommend the use of it. As of 1 May 2001, SSH Secure Shell 1.x will no longer be available from this site. Please modify your product plans accordingly. The SSH2 protocol is in the process of becoming an IETF standard and is not subject to the security vulnerabilities found in SSH1. Therefore, we will continue to focus on the newer SSH2 protocol as we offer, update, upgrade and maintain SSH Secure Shell 2.x (and higher) of the software. -- http://www.ssh.com/products/ssh/deprecation.cfm X-Force recommends upgrading to new SSH Version 2 support if possible. If SSH Version 1 is not used, disable fallback and remove old sshd Version 1 binaries. Please refer to your vendor to obtain patch and upgrade information. -- http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise100 If you are running sshd, disable the use of the SSH1 protocol in OpenSSH. SSH1 contains inherent protocol deficiencies and is not recommended for use in high-security environments. -- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:24.ssh.asc -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020801125134.R19455-100000>