Iain Tatch wrote:
AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,as SSH2 so far does not support RSA keypairs and needs DSA keys.That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises.
Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable.
-- Daniel