From owner-freebsd-security  Thu Feb 15  3:34:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67])
	by hub.freebsd.org (Postfix) with ESMTP id A785C37B4EC
	for <freebsd-security@freebsd.org>; Thu, 15 Feb 2001 03:34:11 -0800 (PST)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 2748766B00; Thu, 15 Feb 2001 03:34:11 -0800 (PST)
Date: Thu, 15 Feb 2001 03:34:10 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Jan Conrad <conrad@th.physik.uni-bonn.de>
Cc: freebsd-security@freebsd.org,
	Ralph Schreyer <schreyer@th.physik.uni-bonn.de>
Subject: Re: Why does openssh protocol default to 2?
Message-ID: <20010215033410.A86524@mollari.cthul.hu>
References: <Pine.BSF.4.33.0102151204150.41000-100000@merlin.th.physik.uni-bonn.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0102151204150.41000-100000@merlin.th.physik.uni-bonn.de>; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 12:30:20PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--OXfL5xGRrasGEqWY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote:
> Hello,
>=20
> for quite a long time now I cannot understand why people encourage others
> for using ssh2 by default and I wanted to ask the readers of this list for
> their opinion.

SSH1 has fundamental protocol flaws.  SSH2 doesn't, that we know of.

> Even though I believe people saying that ssh2 is much more secure for root
> accounts and servers etc. I don't see why this should be true in general.
>=20
> Especially on bigger, say university networks as ours, where you often
> find BNC segments or the switches are more or less acessible to everyone
> (who really wants to...) in my opinion ssh2 is much more insecure as ssh1.
>=20
> My problem simply is that the id_dsa file is stored in user home dirs,
> which typically are mounted via NFS. So ssh2, in contrast to ssh1 with
> RSAAuthentication disabled, allows sniffers to access your system even
> without *actively* attacking your system, all you need is the id_dsa
> file....
>=20
> Even if that file is protected by a passphrase, you don't gain much...

I don't understand your complaint.  If you don't want to use SSH2 with
RSA/DSA keys, don't do that.  Use the UNIX password or some other PAM
authentication module (OPIE, etc)

Kris

--OXfL5xGRrasGEqWY
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6i76yWry0BWjoQKURAv5JAKC0kj0vrQlqcZxyip7DpbCrnvsFFwCeKqJZ
woGtt4htbjFc0igIyCRABKw=
=5/tV
-----END PGP SIGNATURE-----

--OXfL5xGRrasGEqWY--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message