From owner-freebsd-security Sun Feb 11 12:48:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id BC4CF37B401 for ; Sun, 11 Feb 2001 12:48:37 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1BKmYM03567; Sun, 11 Feb 2001 12:48:34 -0800 (PST) Date: Sun, 11 Feb 2001 12:48:34 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: William Wong , freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings Message-ID: <20010211124834.T3274@fw.wintelcom.net> References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010211121803.A78601@mollari.cthul.hu>; from kris@obsecurity.org on Sun, Feb 11, 2001 at 12:18:04PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [010211 12:20] wrote: > On Sun, Feb 11, 2001 at 02:00:36PM -0500, William Wong wrote: > > Hi there, > > > > I wondering why only protocol 1 is enabled by default in sshd? Is there a > > risk with using protocol 2 (or both?) > > It's not - you must have an out of date file, or are using an old > version of -stable (very old versions of OpenSSH didn't support > protocol 2). > > The risk is actually with protocol 1 -- it has protocol flaws which > have been known for quite a while, independent of the recently > discovered attacks. You should disable it unless you need it. I've heard that there's still no agent or authentication forwarding for ssh2 and dsa keys, have you heard about an ETA of these features? -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message