From owner-freebsd-current Wed Oct 23 12: 9:32 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 057ED37B404 for ; Wed, 23 Oct 2002 12:09:31 -0700 (PDT) Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AFBB43E3B for ; Wed, 23 Oct 2002 12:09:30 -0700 (PDT) (envelope-from shamrock@cypherpunks.to) Received: from VAIO650 (d160.nas2.sr2.sonic.net [208.201.229.160]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pakastelohi.cypherpunks.to (Postfix) with ESMTP id 073E336643 for ; Wed, 23 Oct 2002 21:09:18 +0200 (CEST) From: "Lucky Green" To: Subject: RE: Request: remove ssh1 fallback Date: Wed, 23 Oct 2002 12:09:13 -0700 Message-ID: <008401c27ac7$ae3c8e80$6501a8c0@VAIO650> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal In-Reply-To: <20021023161643.GA7813@HAL9000.homeunix.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David wrote: > Thus spake Steven Ames : > > > Making SSH 2 the default is one thing. Removing SSH 1 as > a fallback > > > altogether is going to break compatibility with other > systems like > > > you'd never believe. For example, I regularly need to SSH into > > > Solaris boxen running SSH 1. These machines aren't > secure anyway, > > > and since there's nothing I can do about it, I don't want any > > > surprises when I upgrade. > > > > I think he was suggesting removing it from the sshd server, not the > > client. You can always specify the protocol on the command > line with > > the client even if it didn't fall back... and again he's > suggesting it > > for the default configuration, you can always change the > > configuration. I'm not necessarily for this change I just > want to be > > sure what change is being suggested :) > > In either case, you break compatibility. Say I wanted to SSH > from those Solaris boxen to my home machine, for example. (I > don't, but that's not the point.) If my SSH server didn't > have the SSH 1 fallback, there's nothing I could do from the > command line to allow me to log in. My apologies if I my request was unclear: I am indeed only proposing to remove ssh1 fallback mode from the default configuration file of sshd, not from the default configuration of the ssh client. This change would not impact any users of existing FreeBSD installations as client or server. If somebody installs a fresh installation of FreeBSD 5.0 on a machine it would out-of-the-box support login by ssh2 only. Anybody that wishes to enable ssh1 on this fresh install remains able to do so. An upgrade shouldn't break your ssh settings regardless. Yes, this change would, out of the box, potentially come as a noticeable surprise for a small number of users: a user that needs to be able to log into a 5.0 box from a machine on which ssh2 is not available would manually need to enable ssh1 login in their sshd_config file. But I would argue that permitting ssh1 login into a machine should be a conscious act taken by the administrator by editing the config file, not something that a distribution should enable by default in a new install. Hope that helps somewhat clarify the scope of my request, --Lucky Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message