From owner-freebsd-stable Tue Oct 30 16:54:37 2001 Delivered-To: freebsd-stable@freebsd.org Received: from sploo.aagh.net (pc2-hart4-0-cust103.mid.cable.ntl.com [213.107.122.103]) by hub.freebsd.org (Postfix) with ESMTP id 36B9737B401 for ; Tue, 30 Oct 2001 16:54:32 -0800 (PST) Received: from freaky by sploo.aagh.net with local (Exim 3.33 #1) id 15yjeJ-000L4R-00 for freebsd-stable@freebsd.org; Wed, 31 Oct 2001 00:54:31 +0000 Date: Wed, 31 Oct 2001 00:54:31 +0000 From: Thomas Hurst To: freebsd-stable@freebsd.org Subject: Re: suggestion about sshd_config default Message-ID: <20011031005431.A80719@sploo> Mail-Followup-To: freebsd-stable@freebsd.org References: <1004483564.15832.67.camel@smokey.lan.enic.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1004483564.15832.67.camel@smokey.lan.enic.cc>; from mdf@enic.cc on Tue, Oct 30, 2001 at 03:12:43PM -0800 Organization: Not much. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG * Mark Foster (mdf@enic.cc) wrote: > I'm requesting that the default openssh configuration be changed to say > Protocol 2 > instead of > #Protocol 2,1 > > > Protocol 1 is the subject of a number of recent security advisories, and > it's use should be discouraged. The behavior with the line commented as ssh1 is still pretty secure, and support for it tends to be rather better (several windows clients, including the one I'm using to write this, do not yet support ssh2, nor do any Amiga clients) than ssh2. I don't see why this should be changed by default since it has the potential to lock users out just to close some very difficult to exploit holes. Perhaps it would be better, instead, to make this a sysinstall(8) option, or even just have sysinstall mention it after installation so new users are aware of the issue. -- Thomas 'Freaky' Hurst - freaky@aagh.net - http://www.aagh.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message