Date: Sat, 6 Jul 2002 14:28:09 -0400 From: Zvezdan Petkovic <zvezdan@CS.WM.EDU> To: security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020706142809.A2652@dali.cs.wm.edu> In-Reply-To: <20020706035731.N2631-100000@walter>; from jason-fbsd-security@shalott.net on Sat, Jul 06, 2002 at 04:02:27AM -0700 References: <xzphejepfd7.fsf_-_@flood.ping.uio.no> <20020706035731.N2631-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 06, 2002 at 04:02:27AM -0700, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > > time to make the 2,1 the default instead ? > > > > I'd like that. I think the only reason for the old default was not to > > surprise users who had the ssh1 RSA host key in their known_hosts but > > not the ssh2 DSA host key. > > > > What do people think about this? Keep 2,1 or revert to 1,2? > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > and it will all break if you change the default to v2. > I usually keep silent but this really triggered me. What do you mean when you say it will _all_ break? I remember very well that the switching to v2 didn't involve too much. The default in OpenSSH source is Protocol 2,1. That doesn't exclude Protocol 1. It only means that the client will try v2 first, and if it doesn't succeed it will fall back to v1. Thus, if your server doesn't want to talk v2 the client won't be able to use it and will work as v1. For instance, an old Solaris server that's too slow to run v2 talks happily (v1 only) with 2,1 clients without any change. If you do not want your client to talk v2 at all, is it really that difficult to roll a loop over your network and echo " Protocol 1,2" >>/etc/ssh/ssh_config on your clients? > With the 5.0-RELEASE on the not-too-distant horizon, I really think it > best to not change default behaviour within a major release. Keep the > default as it is - don't break people. > Did you actually try this to claim so confidently that the switch will _break_ them so badly? My experience is not that bad. -- Zvezdan Petkovic <zvezdan@cs.wm.edu> http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020706142809.A2652>