From owner-freebsd-stable  Tue Oct 30 16:54:37 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from sploo.aagh.net (pc2-hart4-0-cust103.mid.cable.ntl.com [213.107.122.103])
	by hub.freebsd.org (Postfix) with ESMTP id 36B9737B401
	for <freebsd-stable@freebsd.org>; Tue, 30 Oct 2001 16:54:32 -0800 (PST)
Received: from freaky by sploo.aagh.net with local (Exim 3.33 #1)
	id 15yjeJ-000L4R-00
	for freebsd-stable@freebsd.org; Wed, 31 Oct 2001 00:54:31 +0000
Date: Wed, 31 Oct 2001 00:54:31 +0000
From: Thomas Hurst <tom.hurst@clara.net>
To: freebsd-stable@freebsd.org
Subject: Re: suggestion about sshd_config default
Message-ID: <20011031005431.A80719@sploo>
Mail-Followup-To: freebsd-stable@freebsd.org
References: <1004483564.15832.67.camel@smokey.lan.enic.cc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <1004483564.15832.67.camel@smokey.lan.enic.cc>; from mdf@enic.cc on Tue, Oct 30, 2001 at 03:12:43PM -0800
Organization: Not much.
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

* Mark Foster (mdf@enic.cc) wrote:

> I'm requesting that the default openssh configuration be changed to say
> Protocol 2
> instead of 
> #Protocol 2,1
> 
> 
> Protocol 1 is the subject of a number of recent security advisories, and
> it's use should be discouraged. The behavior with the line commented as

ssh1 is still pretty secure, and support for it tends to be rather better
(several windows clients, including the one I'm using to write this, do not
yet support ssh2, nor do any Amiga clients) than ssh2.

I don't see why this should be changed by default since it has the potential
to lock users out just to close some very difficult to exploit holes.

Perhaps it would be better, instead, to make this a sysinstall(8) option,
or even just have sysinstall mention it after installation so new users are
aware of the issue.
-- 
Thomas 'Freaky' Hurst  -  freaky@aagh.net  -  http://www.aagh.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message