Date: Wed, 17 Jul 2002 19:08:44 -0700 From: "Lucky Green" <shamrock@cypherpunks.to> To: <freebsd-current@freebsd.org> Subject: Suggestion to disable ssh1 in FreeBSD 5.0 Message-ID: <002001c22c91$24e60690$6501a8c0@LUCKYVAIO>
next in thread | raw e-mail | index | archive | help
FreeBSD Gurus, I would like to suggest for the FreeBSD team to please consider disabling support for ssh1 in the default configuration of sshd starting with FreeBSD 5.0 for the following reasons: 1) The ssh1 protocol is fundamentally insecure. The protocol uses a CRC where a MAC is needed, permitting the insertion of data in to the connection. While there have been various patches over the years that attempt to detect attacks trying to exploit this security hole, no patch can ever fully fix this security hole. Sure, we may not at present know an exploit that could be successfully launched against the present ssh1, but few security experts feel comfortable another, or even several other, such exploit will not be found. Consequently, many security conscious folks long disabled ssh1 access to their servers. 2) While compatibility was once a problem, by now there are a sufficient number of free ssh2-capable clients available on wide range of platforms. It must be the rare case in which a server truly needs to maintain the use of ssh1 because there are no ssh2 clients for the client platform. (I can't even think of one such client platform, though don't doubt they exist). At any rate, ssh2-capable clients have become sufficiently widely available and will be even more widely available by the time FreeBSD 5.0 is released that compatibility is losing strength as an argument to leave ssh1 enabled by default. If somebody truly needs ssh1 they will know how to edit a config file. 3) Compatibility reducing security is typically not a good thing. I therefore would like to ask the FreeBSD team to please consider to, in the default configuration of FreeBSD 5.0, only enable ssh2 for sshd. Thanks, --Lucky Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001c22c91$24e60690$6501a8c0>