Date: Thu, 15 Feb 2001 13:18:45 +0100 (CET) From: Jan Conrad <conrad@th.physik.uni-bonn.de> To: Kris Kennaway <kris@obsecurity.org> Cc: <freebsd-security@freebsd.org>, Ralph Schreyer <schreyer@th.physik.uni-bonn.de> Subject: Re: Why does openssh protocol default to 2? Message-ID: <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de> In-Reply-To: <20010215033410.A86524@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Feb 2001, Kris Kennaway wrote: > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > > Hello, > > > > for quite a long time now I cannot understand why people encourage others > > for using ssh2 by default and I wanted to ask the readers of this list for > > their opinion. > > SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. I knew that statement... Could you give me a good reference for a detailed discussion on that? > > > Even though I believe people saying that ssh2 is much more secure for root > > accounts and servers etc. I don't see why this should be true in general. > > > > Especially on bigger, say university networks as ours, where you often > > find BNC segments or the switches are more or less acessible to everyone > > (who really wants to...) in my opinion ssh2 is much more insecure as ssh1. > > > > My problem simply is that the id_dsa file is stored in user home dirs, > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with > > RSAAuthentication disabled, allows sniffers to access your system even > > without *actively* attacking your system, all you need is the id_dsa > > file.... > > > > Even if that file is protected by a passphrase, you don't gain much... > > I don't understand your complaint. If you don't want to use SSH2 with > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > authentication module (OPIE, etc) Sorry - I did not want to complain... (really :-) What would you suggest for NFS mounted home dirs as a reasonable solution? (To store keys I mean..) > > Kris > Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0102151309060.41000-100000>