From owner-freebsd-security Sat Jul 6 16:28:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 193E037B400 for ; Sat, 6 Jul 2002 16:28:22 -0700 (PDT) Received: from mail.lambertfam.org (www.lambertfam.org [216.223.196.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90D4E43E4A for ; Sat, 6 Jul 2002 16:28:21 -0700 (PDT) (envelope-from lambert@lambertfam.org) Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost.inch.com (Postfix) with ESMTP id 524D8350EE for ; Sat, 6 Jul 2002 19:26:32 -0400 (EDT) Received: from laptop.lambertfam.org (unknown [10.1.0.2]) by mail.lambertfam.org (Postfix) with ESMTP id 69B28350DB for ; Sat, 6 Jul 2002 19:26:28 -0400 (EDT) Received: by laptop.lambertfam.org (Postfix, from userid 1000) id 7DCE428B16; Sat, 6 Jul 2002 19:28:07 -0400 (EDT) Date: Sat, 6 Jul 2002 19:28:07 -0400 From: Scott Lambert To: freebsd-security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE Message-ID: <20020706232807.GA76607@laptop.lambertfam.org> Mail-Followup-To: freebsd-security@freebsd.org References: <20020706035731.N2631-100000_walter@ns.sol.net> <200207061752.g66HqNX00351@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207061752.g66HqNX00351@sheol.localdomain> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 06, 2002 at 12:52:23PM -0500, D J Hawkey Jr wrote: > In article <20020706035731.N2631-100000_walter@ns.sol.net>, > jason-fbsd-security@shalott.net writes: > >> > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > >> > time to make the 2,1 the default instead ? > >> I'd like that. I think the only reason for the old default was not to > >> surprise users who had the ssh1 RSA host key in their known_hosts but > >> not the ssh2 DSA host key. > >> > >> What do people think about this? Keep 2,1 or revert to 1,2? > > > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > > and it will all break if you change the default to v2. > > "2,1" means "v2" with fallback to "v1". This shouldn't break anything, > unless something's already broken in a system's v2 configuration. Unless you only have an v1 authorized key. Then you have to go through and either change all your ssh invocations in your scripts to use the "-1" parameter or create v2 keys. It sucks when your automated scripts don't run because of a new default. I'll live with it for my 20 hosts. Others, with bigger networks, have legitimate issues here. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message