From owner-freebsd-current Tue Oct 22 23:19:43 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD08737B401 for ; Tue, 22 Oct 2002 23:19:42 -0700 (PDT) Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 605D943E6A for ; Tue, 22 Oct 2002 23:19:41 -0700 (PDT) (envelope-from shamrock@cypherpunks.to) Received: from VAIO650 (d160.nas2.sr2.sonic.net [208.201.229.160]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pakastelohi.cypherpunks.to (Postfix) with ESMTP id B3EC83664E for ; Wed, 23 Oct 2002 08:19:31 +0200 (CEST) From: "Lucky Green" To: Subject: Request: remove ssh1 fallback Date: Tue, 22 Oct 2002 23:19:23 -0700 Message-ID: <007501c27a5c$27203fc0$6501a8c0@VAIO650> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If I understand correctly, the next opportunity after 5.0R to make a change of such significance is FreeBSD 6.0. Since I suspect that few folks will want to have ssh1 enabled by the time 6.0 is released, I would like to request for the team to please consider disabling ssh1 fallback prior to 5.0R. Ssh1 is fundamentally broken. It uses a CRC where a MAC is required. While the attack detection logic in the code looks good, I don't know of many cryptographers that would be willing to bet that no further attacks exploiting ssh1's design flaws will be found. Ssh1 is a potential security hole with very little utility remaining given that ssh2-capable versions of ssh are readily available for a host of platforms and in fact have been so for some time. I therefore believe that the 5.0 release represents a perfect opportunity to remove ssh1 fallback from the default distribution of FreeBSD and hope the FreeBSD team will consider this change. Thanks, --Lucky Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message