Date: Thu, 1 Aug 2002 08:06:41 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>, <security@FreeBSD.ORG> Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020705170032.V94044-100000@blues.jpj.net> In-Reply-To: <xzpit3utgcq.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav wrote: > Trevor Johnson <trevor@jpj.net> writes: > > Use of protocol version 1 makes an insertion attack possible, according to > > <URL:http://www.openssh.com/security.html>. > > That same page also explains that OpenSSH contains code to make such > attacks very difficult. Their actual wording is "difficult but possible," not "very difficult." The CRC32 compensation detection code to which you allude used to have remote root hole, which was published and widely exploited. In response, CERT recommended in December of 2001 that protocol version 1 be disabled: Because the vulnerability affects software handling the SSHv1 protocol, sites may wish to enable SSHv2 support only and disable SSHv1 fallback support. Refer to your secure shell server software documentation for information about how to accomplish this. Disabling SSHv1 support is generally a good practice, since a number of other vulnerabilities exist in the SSHv1 protocol itself and software handling of this protocol. That is from <URL:http://www.cert.org/incident_notes/IN-2001-12.html>. > > The vulnerability was > > published by CORE SDI in June of 1998. I would like to see protocol > > version 1 disabled by default, with a note in UPDATING about the change. > > No. I will not arbitrarily lock users out of their machines. Many users already must read UPDATING to get a working installation of OpenSSH. The OpenBSD folks have a philosophy that users who don't understand their systems and don't spend much time configuring them systems shouldn't become easy marks for attackers because of the installation defaults. They explain it better than I, at <URL:http://www.openbsd.org/security.html#default>. Removing a weakness in security is not an arbitrary change. It is the type of change that is suitable for FreeBSD -STABLE in spite of inconvenience to users, and making one-line changes to two files is only a mild inconvenience. Please reconsider. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020705170032.V94044-100000>