From owner-freebsd-security  Fri Jul  5  7: 1:50 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 02ACC37B400; Fri,  5 Jul 2002 07:01:48 -0700 (PDT)
Received: from blues.jpj.net (blues.jpj.net [208.210.80.156])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3874E43E3B; Fri,  5 Jul 2002 07:01:47 -0700 (PDT)
	(envelope-from trevor@jpj.net)
Received: from blues.jpj.net (localhost.jpj.net [127.0.0.1])
	by blues.jpj.net (8.12.3/8.12.3) with ESMTP id g65E1jp7075565;
	Fri, 5 Jul 2002 10:01:46 -0400 (EDT)
	(envelope-from trevor@jpj.net)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (8.12.3/8.12.3/Submit) with ESMTP id g65E1jjt075562;
	Fri, 5 Jul 2002 10:01:45 -0400 (EDT)
X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs
Date: Fri, 5 Jul 2002 10:01:45 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>,
	<security@FreeBSD.ORG>
Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE
 now has OpenSSH 3.4p1]
In-Reply-To: <xzphejepfd7.fsf_-_@flood.ping.uio.no>
Message-ID: <20020705094314.C73784-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good
> > time to make the 2,1 the default instead ?
>
> I'd like that.  I think the only reason for the old default was not to
> surprise users who had the ssh1 RSA host key in their known_hosts but
> not the ssh2 DSA host key.
>
> What do people think about this?  Keep 2,1 or revert to 1,2?

Use of protocol version 1 makes an insertion attack possible, according to
<URL:http://www.openssh.com/security.html>.  The vulnerability was
published by CORE SDI in June of 1998.  I would like to see protocol
version 1 disabled by default, with a note in UPDATING about the change.
-- 
Trevor Johnson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message