From owner-freebsd-security Thu Feb 15 13:58:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-49.dsl.lsan03.pacbell.net [64.165.226.49]) by hub.freebsd.org (Postfix) with ESMTP id 6CD5E37B65D for ; Thu, 15 Feb 2001 13:57:58 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D24EE66E6A; Thu, 15 Feb 2001 13:30:00 -0800 (PST) Date: Thu, 15 Feb 2001 13:30:00 -0800 From: Kris Kennaway To: Jan Conrad Cc: Kris Kennaway , freebsd-security@freebsd.org, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215133000.A12807@mollari.cthul.hu> References: <20010215033410.A86524@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 01:18:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote: > On Thu, 15 Feb 2001, Kris Kennaway wrote: >=20 > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > > > Hello, > > > > > > for quite a long time now I cannot understand why people encourage ot= hers > > > for using ssh2 by default and I wanted to ask the readers of this lis= t for > > > their opinion. > > > > SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. >=20 > I knew that statement... Could you give me a good reference for a > detailed discussion on that? www.core-sdi.com probably has some information - there are recently discovered flaws and a number of older ones. > > I don't understand your complaint. If you don't want to use SSH2 with > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > authentication module (OPIE, etc) >=20 > Sorry - I did not want to complain... (really :-) >=20 > What would you suggest for NFS mounted home dirs as a reasonable solution? > (To store keys I mean..) If you have people sniffing your NFS traffic then you're in trouble anyway since they can probably spoof things very easily. Consider what's really your threat model here. If you really don't want people to use DSA authentication (it's not a security risk unless they use a weak passphrase) then disable it with the appropriate configuration directive in /etc/ssh/sshd_config. Kris --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jEpYWry0BWjoQKURAjZNAJ9V7ZplA2uRJuJ8MiVrwW2vni4kogCgzTBd RuXFUjziVxqKWsgDLAjODrE= =lVKz -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message