From owner-freebsd-security  Thu Feb 15  3:30:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dirac.th.physik.uni-bonn.de (dirac.th.physik.uni-bonn.de [131.220.161.119])
	by hub.freebsd.org (Postfix) with SMTP id 52FB237B4EC
	for <freebsd-security@freebsd.org>; Thu, 15 Feb 2001 03:30:22 -0800 (PST)
Received: (qmail 42036 invoked from network); 15 Feb 2001 11:30:21 -0000
Received: from merlin.th.physik.uni-bonn.de (131.220.161.121)
  by dirac.th.physik.uni-bonn.de with SMTP; 15 Feb 2001 11:30:21 -0000
Received: (qmail 41755 invoked by uid 145); 15 Feb 2001 11:30:20 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 15 Feb 2001 11:30:20 -0000
Date: Thu, 15 Feb 2001 12:30:20 +0100 (CET)
From: Jan Conrad <conrad@th.physik.uni-bonn.de>
To: <freebsd-security@freebsd.org>
Cc: Ralph Schreyer <schreyer@th.physik.uni-bonn.de>
Subject: Why does openssh protocol default to 2?
Message-ID: <Pine.BSF.4.33.0102151204150.41000-100000@merlin.th.physik.uni-bonn.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello,

for quite a long time now I cannot understand why people encourage others
for using ssh2 by default and I wanted to ask the readers of this list for
their opinion.

Even though I believe people saying that ssh2 is much more secure for root
accounts and servers etc. I don't see why this should be true in general.

Especially on bigger, say university networks as ours, where you often
find BNC segments or the switches are more or less acessible to everyone
(who really wants to...) in my opinion ssh2 is much more insecure as ssh1.

My problem simply is that the id_dsa file is stored in user home dirs,
which typically are mounted via NFS. So ssh2, in contrast to ssh1 with
RSAAuthentication disabled, allows sniffers to access your system even
without *actively* attacking your system, all you need is the id_dsa
file....

Even if that file is protected by a passphrase, you don't gain much...

In conclusion, I would like to have the ssh protocol defaulted to 1 with
RSAAuthentication disabled; of course, people who install servers and
security specific stuff should know not to use that for their uses, but
most other people simply install the default.

best regards
	Jan

-- 
Physikalisches Institut der Universitaet Bonn
Nussallee 12
D-53115 Bonn
GERMANY




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message