Date: Fri, 5 Jul 2002 10:01:45 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>, <security@FreeBSD.ORG> Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020705094314.C73784-100000@blues.jpj.net> In-Reply-To: <xzphejepfd7.fsf_-_@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > time to make the 2,1 the default instead ? > > I'd like that. I think the only reason for the old default was not to > surprise users who had the ssh1 RSA host key in their known_hosts but > not the ssh2 DSA host key. > > What do people think about this? Keep 2,1 or revert to 1,2? Use of protocol version 1 makes an insertion attack possible, according to <URL:http://www.openssh.com/security.html>. The vulnerability was published by CORE SDI in June of 1998. I would like to see protocol version 1 disabled by default, with a note in UPDATING about the change. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020705094314.C73784-100000>