Date: Sat, 6 Jul 2002 19:28:07 -0400 From: Scott Lambert <lambert@lambertfam.org> To: freebsd-security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE Message-ID: <20020706232807.GA76607@laptop.lambertfam.org> In-Reply-To: <200207061752.g66HqNX00351@sheol.localdomain> References: <xzphejepfd7.fsf_-__flood.ping.uio.no@ns.sol.net> <20020706035731.N2631-100000_walter@ns.sol.net> <200207061752.g66HqNX00351@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 06, 2002 at 12:52:23PM -0500, D J Hawkey Jr wrote: > In article <20020706035731.N2631-100000_walter@ns.sol.net>, > jason-fbsd-security@shalott.net writes: > >> > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > >> > time to make the 2,1 the default instead ? > >> I'd like that. I think the only reason for the old default was not to > >> surprise users who had the ssh1 RSA host key in their known_hosts but > >> not the ssh2 DSA host key. > >> > >> What do people think about this? Keep 2,1 or revert to 1,2? > > > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > > and it will all break if you change the default to v2. > > "2,1" means "v2" with fallback to "v1". This shouldn't break anything, > unless something's already broken in a system's v2 configuration. Unless you only have an v1 authorized key. Then you have to go through and either change all your ssh invocations in your scripts to use the "-1" parameter or create v2 keys. It sucks when your automated scripts don't run because of a new default. I'll live with it for my 20 hosts. Others, with bigger networks, have legitimate issues here. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020706232807.GA76607>