RE: Don't panic (ssh)

To: "Debian-Security" <debian-security@lists.debian.org>, "Daniel Polombo" <polombo@cartel-info.fr>
Subject: RE: Don't panic (ssh)
From: "Craigsc" <craigsc@zdata.co.za>
Date: Mon, 14 Jan 2002 15:05:57 +0200
Message-id: <[🔎] NFBBIMBCKKAEBNNNDCDHOEDJDBAA.craigsc@zdata.co.za>
Reply-to: <craigsc@zdata.co.za>
In-reply-to: <[🔎] 3C42D2D3.3010300@cartel-info.fr>

How do you disable ssh1 protocol with the current
ssh on potato ?>

..Craig

-----Original Message-----
From: Daniel Polombo [mailto:polombo@cartel-info.fr]
Sent: Monday, January 14, 2002 2:45 PM
To: Iain Tatch
Cc: crispin@iinet.net.au; debian-security@lists.debian.org
Subject: Re: Don't panic (ssh)


Iain Tatch wrote:


>
>>AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you
need
>>to use SSH2 protocol. OpenSSH supports SSH2. You need different keys
though,
>>as SSH2 so far does not support RSA keypairs and needs DSA keys.
>>
> That's the impression I was under, too. In which case the current stable
> release of Debian comes with an sshd which uses protocol 1 and is
> therefore open to allowing remote root compromises.

Just a quick precision here : you have to _disable_ v1 in order to be
protected from that vulnerability. The point here is not that you have to
support v2, it's that you have to disallow v1. A recent daemon allowing ssh1
connections is vulnerable.

--
Daniel


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Don't panic (ssh)
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: Don't panic (ssh)
  - From: Iain Tatch <debian@deepsea.force9.co.uk>
- RE: Don't panic (ssh)
  - From: "Denny Fox" <dennyf@mninter.net>

References:
- Re: Don't panic (ssh)
  - From: Daniel Polombo <polombo@cartel-info.fr>

Prev by Date: Re: Don't panic (ssh)
Next by Date: Re: Don't panic (ssh)
Previous by thread: Re: Don't panic (ssh)
Next by thread: Re: Don't panic (ssh)
Index(es):
- Date
- Thread