RE: Don't panic (ssh)

To: <debian-security@lists.debian.org>
Subject: RE: Don't panic (ssh)
From: "Denny Fox" <dennyf@mninter.net>
Date: Mon, 14 Jan 2002 07:30:29 -0600
Message-id: <[🔎] 000401c19cff$a275b0a0$0601a8c0@sbwireless.net>
In-reply-to: <[🔎] NFBBIMBCKKAEBNNNDCDHOEDJDBAA.craigsc@zdata.co.za>

Debian has back ported the fix for the CRC-32 vulnerability into both
OpenSSH (1.2.3-9.3) and ssh-nonfree/ssh-socks (1.2.27-6.2) for Debian
stable.

This is documented at:
http://www.debian.org/security/2001/dsa-086

This would appear to remove any concern about using SSH version 1
protocol as long as you are running the updated sshd.

The published vulnerabilities for ssh1 have been against the
implementation in the sshd appliction itself, not in the ssh1
protocol. The current Debian versions have addressed the
implememtation issues.

Please correct me if I am mistaken...

Thanks,

Denny

> -----Original Message-----
> From: Craigsc [mailto:craigsc@zdata.co.za]
> Sent: Monday, January 14, 2002 7:06 AM
> To: Debian-Security; Daniel Polombo
> Subject: RE: Don't panic (ssh)
>
>
> How do you disable ssh1 protocol with the current
> ssh on potato ?>
>
> ..Craig
>
> -----Original Message-----
> From: Daniel Polombo [mailto:polombo@cartel-info.fr]
> Sent: Monday, January 14, 2002 2:45 PM
> To: Iain Tatch
> Cc: crispin@iinet.net.au; debian-security@lists.debian.org
> Subject: Re: Don't panic (ssh)
>
>
> Iain Tatch wrote:
>
>
> >
> >>AFAIK, all SSH1 connections are vulnerable to the CRC32
> attack. Thus you
> need
> >>to use SSH2 protocol. OpenSSH supports SSH2. You need
> different keys
> though,
> >>as SSH2 so far does not support RSA keypairs and needs DSA keys.
> >>
> > That's the impression I was under, too. In which case the
> current stable
> > release of Debian comes with an sshd which uses protocol 1 and is
> > therefore open to allowing remote root compromises.
>
> Just a quick precision here : you have to _disable_ v1 in
> order to be
> protected from that vulnerability. The point here is not
> that you have to
> support v2, it's that you have to disallow v1. A recent
> daemon allowing ssh1
> connections is vulnerable.
>
> --
> Daniel
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>

Reply to:

References:
- RE: Don't panic (ssh)
  - From: "Craigsc" <craigsc@zdata.co.za>

Prev by Date: Re: /etc/passwd->shell
Next by Date: Re: Don't panic (ssh)
Previous by thread: Re: Don't panic (ssh)
Next by thread: Re: Don't panic (ssh)
Index(es):
- Date
- Thread