[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Don't panic (ssh)

Iain Tatch wrote:

AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need
to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,
as SSH2 so far does not support RSA keypairs and needs DSA keys.
That's the impression I was under, too. In which case the current stable
release of Debian comes with an sshd which uses protocol 1 and is
therefore open to allowing remote root compromises.

Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable.


Reply to: