Date: Sat, 6 Jul 2002 12:40:40 -0700 From: Sean Chittenden <sean@chittenden.org> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Trevor Johnson <trevor@jpj.net>, Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>, security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020706124040.D43307@ninja1.internal> In-Reply-To: <xzpit3utgcq.fsf@flood.ping.uio.no>; from "des@ofug.org" on Fri, Jul 05, 2002 at = 04:11:01PM References: <20020705094314.C73784-100000@blues.jpj.net> <xzpit3utgcq.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Use of protocol version 1 makes an insertion attack possible, according to > > <URL:http://www.openssh.com/security.html>. > > That same page also explains that OpenSSH contains code to make such > attacks very difficult. > > > The vulnerability was > > published by CORE SDI in June of 1998. I would like to see protocol > > version 1 disabled by default, with a note in UPDATING about the change. > > No. I will not arbitrarily lock users out of their machines. How about making it just proto 2 in -CURRENT and use that as the version to phase out proto 1. With all of the other security goodies going into 5.0, it seems like 5.0 would be shooting itself in the foot to have SSH1 enabled with HMAC and some of the other ACL fun. Besides, 5.0 seems like a nice transition point to begin phasing out SSH1. -sc -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020706124040.D43307>