On Fri, Feb 09, 2001 at 10:31:41AM -0500, Adam Spickler wrote: > SH2 is supposed to be more secure. Stability, not sure about. However, one thing to think about... someone can load the local "exploit" dsniff on your machine. This makes ssh1 look as cleartext as telnet. Fortunately, it hasn't been done for ssh2 yet. Personally, I like using RSA keys. Make sure to disable xauth, that's another security risk... etc, etc. [pleasewrapyourlinesatsomethingreasonablelike72characterssoyourmessageisreadable] lets de-FUD this just a tad, the dsniff business is a man in the middle attack, an attack that will ONLY succeed if the user ignores ssh's very loud warnings about a changed host key upon initial connection. openssh won't even allow you to login to such a host easily, and refuses to allow you to use password auth. the other case where that could suceed is if you fail to do any verification of the host key you recieve when connecting to a host you have never connected to before. if you take care to verify host keys and NEVER ignore warnings about changed keys. contact the admin and find out what happened and have him give you the key fingerprint so you can verify you are getting the correct host key. if you do this you are not vulnerable to dsniff. reports of ssh1's death have been greatly exaggerated. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpR9WCb44sJz.pgp
Description: PGP signature