[12999] in bugtraq
Re: SSH 1 Why?
daemon@ATHENA.MIT.EDU (Emil S Hansen)
Thu Dec 16 20:10:55 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <8940E1C008FAD111BB8500A0C98346F3014CA092@gtsnt3.gts.dk>
Date: Thu, 16 Dec 1999 18:33:00 +0100
Reply-To: Emil S Hansen <laven.data@IMAGE.DK>
From: Emil S Hansen <laven.data@IMAGE.DK>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <8940E1C008FAD111BB8500A0C98346F301AC9C45@gtsnt3.gts.dk>
> > What you are missing is the following: upgrading to SSH 2
> implies upgrading to
> > version 2 of the protocol, in order to prevent the
> abovementioned problem you
> > can no longer support compatibility with version 1.x of the
> protocol. So you
> > have to update all your SSH servers and clients.
>
> Not true. If you have ssh1 installed, and you compile ssh2, ssh2
> maintains version1 protocol compatibility, which means you can still
> connect to a ssh2 sshd with a ssh1 client.
>
No, that is (AFAIK) not true. sshd2 uses sshd1 for compatility with older
ssh1 clients, so you have to have sshd1 installed to use the compatility
mode of sshd2 (which just spawns sshd1 if it sees an incomming ssh1
connection).
EG. sshd2 will spawn (vulnarble) sshd1 when a SSH1 connection is made.
>
> This might be a valid point. But upgrading *all* clients to
> ssh2 is not
> nessesary. You can still maintain ssh1 compatibility.
>
Yes, at the cost of NOT bieng safe. You are still running the old unsecure
version, but now you are just running it along a safe version.
But since when is it a option to have unsafe software installede when there
is a safe alternative? most WinXX clients support both SSH1 and SSH2 now a
days, and a quick compile of ssh2 on most unix boxes is sure worth the time
compared to the risk of having sshd1 running!
I just don't see anything that justifies running a unsafe pice of software
on a production system.
Mvh.
Emil S Hansen
laven.data@image.dk
UIN: 15749535 & 45621049
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GED d- s+:- a-- C++ UL++++ P+ L+++ E W++ N++ o K- w+ O- M-- V- PS+ PE-- Y+
PGP+ t- 5+ X++ R* tv- b++ DI++ D++
G e h r y+
------END GEEK CODE BLOCK------
