Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Feb 2001 13:30:00 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Jan Conrad <conrad@th.physik.uni-bonn.de>
Cc:        Kris Kennaway <kris@obsecurity.org>, freebsd-security@freebsd.org, Ralph Schreyer <schreyer@th.physik.uni-bonn.de>
Subject:   Re: Why does openssh protocol default to 2?
Message-ID:  <20010215133000.A12807@mollari.cthul.hu>
In-Reply-To: <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de>; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 01:18:45PM %2B0100
References:  <20010215033410.A86524@mollari.cthul.hu> <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de>

next in thread | previous in thread | raw e-mail | index | archive | help

--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote:
> On Thu, 15 Feb 2001, Kris Kennaway wrote:
>=20
> > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote:
> > > Hello,
> > >
> > > for quite a long time now I cannot understand why people encourage ot=
hers
> > > for using ssh2 by default and I wanted to ask the readers of this lis=
t for
> > > their opinion.
> >
> > SSH1 has fundamental protocol flaws.  SSH2 doesn't, that we know of.
>=20
> I knew that statement... Could you give me a good reference for a
> detailed discussion on that?

www.core-sdi.com probably has some information - there are recently
discovered flaws and a number of older ones.

> > I don't understand your complaint.  If you don't want to use SSH2 with
> > RSA/DSA keys, don't do that.  Use the UNIX password or some other PAM
> > authentication module (OPIE, etc)
>=20
> Sorry - I did not want to complain... (really :-)
>=20
> What would you suggest for NFS mounted home dirs as a reasonable solution?
> (To store keys I mean..)

If you have people sniffing your NFS traffic then you're in trouble
anyway since they can probably spoof things very easily.  Consider
what's really your threat model here.

If you really don't want people to use DSA authentication (it's not a
security risk unless they use a weak passphrase) then disable it with
the appropriate configuration directive in /etc/ssh/sshd_config.

Kris

--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6jEpYWry0BWjoQKURAjZNAJ9V7ZplA2uRJuJ8MiVrwW2vni4kogCgzTBd
RuXFUjziVxqKWsgDLAjODrE=
=lVKz
-----END PGP SIGNATURE-----

--tKW2IUtsqtDRztdT--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010215133000.A12807>