Date: Thu, 15 Feb 2001 03:34:10 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Jan Conrad <conrad@th.physik.uni-bonn.de> Cc: freebsd-security@freebsd.org, Ralph Schreyer <schreyer@th.physik.uni-bonn.de> Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215033410.A86524@mollari.cthul.hu> In-Reply-To: <Pine.BSF.4.33.0102151204150.41000-100000@merlin.th.physik.uni-bonn.de>; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 12:30:20PM %2B0100 References: <Pine.BSF.4.33.0102151204150.41000-100000@merlin.th.physik.uni-bonn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > Hello, >=20 > for quite a long time now I cannot understand why people encourage others > for using ssh2 by default and I wanted to ask the readers of this list for > their opinion. SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. > Even though I believe people saying that ssh2 is much more secure for root > accounts and servers etc. I don't see why this should be true in general. >=20 > Especially on bigger, say university networks as ours, where you often > find BNC segments or the switches are more or less acessible to everyone > (who really wants to...) in my opinion ssh2 is much more insecure as ssh1. >=20 > My problem simply is that the id_dsa file is stored in user home dirs, > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with > RSAAuthentication disabled, allows sniffers to access your system even > without *actively* attacking your system, all you need is the id_dsa > file.... >=20 > Even if that file is protected by a passphrase, you don't gain much... I don't understand your complaint. If you don't want to use SSH2 with RSA/DSA keys, don't do that. Use the UNIX password or some other PAM authentication module (OPIE, etc) Kris --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6i76yWry0BWjoQKURAv5JAKC0kj0vrQlqcZxyip7DpbCrnvsFFwCeKqJZ woGtt4htbjFc0igIyCRABKw= =5/tV -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010215033410.A86524>