Re: Don't panic (ssh)

To: Iain Tatch <debian@deepsea.force9.co.uk>
Cc: crispin@iinet.net.au, debian-security@lists.debian.org
Subject: Re: Don't panic (ssh)
From: Daniel Polombo <polombo@cartel-info.fr>
Date: Mon, 14 Jan 2002 13:45:07 +0100
Message-id: <[🔎] 3C42D2D3.3010300@cartel-info.fr>
References: <[🔎] 20020114113022.B6695@pollux.frmug.org> <[🔎] 20020114103517.GA524@lise.hsc.fr> <[🔎] 25582565144.20020114110738@deepsea.force9.co.uk> <[🔎] 20020114194834.H3867@earth> <[🔎] 27586742581.20020114121715@deepsea.force9.co.uk>

Iain Tatch wrote:

AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need
to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,

as SSH2 so far does not support RSA keypairs and needs DSA keys.

That's the impression I was under, too. In which case the current stable
release of Debian comes with an sshd which uses protocol 1 and is
therefore open to allowing remote root compromises.

Just a quick precision here : you have to _disable_ v1 in order to beprotected from that vulnerability. The point here is not that you have tosupport v2, it's that you have to disallow v1. A recent daemon allowing ssh1connections is vulnerable.


--
Daniel

Reply to:

Follow-Ups:
- RE: Don't panic (ssh)
  - From: "Craigsc" <craigsc@zdata.co.za>

References:
- Don't panic (ssh)
  - From: Jacques Lav!gnotte <jaclavi@pollux.frmug.org>
- Re: Don't panic (ssh)
  - From: Thomas Seyrat <thomas@glou.net>
- Re: Don't panic (ssh)
  - From: Iain Tatch <debian@deepsea.force9.co.uk>
- Re: Don't panic (ssh)
  - From: crispin@iinet.net.au
- Re: Don't panic (ssh)
  - From: Iain Tatch <debian@deepsea.force9.co.uk>

Prev by Date: Re: Debian security being trashed in Linux Today comments
Next by Date: RE: Don't panic (ssh)
Previous by thread: Re: Don't panic (ssh)
Next by thread: RE: Don't panic (ssh)
Index(es):
- Date
- Thread