[12995] in bugtraq
Re: SSH 1 Why?
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Iv=E1n?= Arce)
Thu Dec 16 19:26:35 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-Id: <385924DA.4DA39B56@core-sdi.com>
Date: Thu, 16 Dec 1999 15:28:48 -0300
Reply-To: =?iso-8859-1?Q?Iv=E1n?= Arce <core.lists.bugtraq@CORE-SDI.COM>
From: =?iso-8859-1?Q?Iv=E1n?= Arce <core.lists.bugtraq@CORE-SDI.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Emiel Kollof wrote:
> Emiliano Kargieman wrote:
> >
> > What you are missing is the following: upgrading to SSH 2 implies upgrading to
> > version 2 of the protocol, in order to prevent the abovementioned problem you
> > can no longer support compatibility with version 1.x of the protocol. So you
> > have to update all your SSH servers and clients.
>
> Not true. If you have ssh1 installed, and you compile ssh2, ssh2
> maintains version1 protocol compatibility, which means you can still
> connect to a ssh2 sshd with a ssh1 client.
>
yes, but thats exactly what you DONT want
protocol version 1 (note that i said protocol not ssh) has the problem
that Emiliano was refering to, besides being much more modular and clean.
If you are really concerned about security you dont want backwards
compatibility with a flawed protocol. Therefore, your SSH2 serverrs shouldnt
allow v1 connections, therefore you should upgrade the clients as well.
This reminds me of the issues related to MS NT and MS win95 authentication...
-ivan
--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce@core-sdi.com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================
--- For a personal reply use iarce@core-sdi.com
