From owner-freebsd-security Sat Jul 6 11:28:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F9B537B400 for ; Sat, 6 Jul 2002 11:28:16 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAE2143E42 for ; Sat, 6 Jul 2002 11:28:15 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g66IQHN13159 for ; Sat, 6 Jul 2002 14:26:17 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g66IS9002684 for security@FreeBSD.ORG; Sat, 6 Jul 2002 14:28:09 -0400 Date: Sat, 6 Jul 2002 14:28:09 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020706142809.A2652@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20020706035731.N2631-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020706035731.N2631-100000@walter>; from jason-fbsd-security@shalott.net on Sat, Jul 06, 2002 at 04:02:27AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 06, 2002 at 04:02:27AM -0700, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > > time to make the 2,1 the default instead ? > > > > I'd like that. I think the only reason for the old default was not to > > surprise users who had the ssh1 RSA host key in their known_hosts but > > not the ssh2 DSA host key. > > > > What do people think about this? Keep 2,1 or revert to 1,2? > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > and it will all break if you change the default to v2. > I usually keep silent but this really triggered me. What do you mean when you say it will _all_ break? I remember very well that the switching to v2 didn't involve too much. The default in OpenSSH source is Protocol 2,1. That doesn't exclude Protocol 1. It only means that the client will try v2 first, and if it doesn't succeed it will fall back to v1. Thus, if your server doesn't want to talk v2 the client won't be able to use it and will work as v1. For instance, an old Solaris server that's too slow to run v2 talks happily (v1 only) with 2,1 clients without any change. If you do not want your client to talk v2 at all, is it really that difficult to roll a loop over your network and echo " Protocol 1,2" >>/etc/ssh/ssh_config on your clients? > With the 5.0-RELEASE on the not-too-distant horizon, I really think it > best to not change default behaviour within a major release. Keep the > default as it is - don't break people. > Did you actually try this to claim so confidently that the switch will _break_ them so badly? My experience is not that bad. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message