[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Don't panic (ssh)

How do you disable ssh1 protocol with the current
ssh on potato ?>


-----Original Message-----
From: Daniel Polombo [mailto:polombo@cartel-info.fr]
Sent: Monday, January 14, 2002 2:45 PM
To: Iain Tatch
Cc: crispin@iinet.net.au; debian-security@lists.debian.org
Subject: Re: Don't panic (ssh)

Iain Tatch wrote:

>>AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you
>>to use SSH2 protocol. OpenSSH supports SSH2. You need different keys
>>as SSH2 so far does not support RSA keypairs and needs DSA keys.
> That's the impression I was under, too. In which case the current stable
> release of Debian comes with an sshd which uses protocol 1 and is
> therefore open to allowing remote root compromises.

Just a quick precision here : you have to _disable_ v1 in order to be
protected from that vulnerability. The point here is not that you have to
support v2, it's that you have to disallow v1. A recent daemon allowing ssh1
connections is vulnerable.


To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: