Bug#151877: acknowledged by developer (Re: ssh: bad advice from debconf)

To: 151877@bugs.debian.org
Subject: Bug#151877: acknowledged by developer (Re: ssh: bad advice from debconf)
From: Erno Kuusela <erno@iki.fi>
Date: Wed, 21 Jan 2004 14:44:31 +0200
Message-id: <[🔎] 20040121124431.GF24198@erno.iki.fi>
Reply-to: Erno Kuusela <erno@iki.fi>, 151877@bugs.debian.org
In-reply-to: <handler.151877.D151877.107468110232531.notifdone@bugs.debian.org>
References: <20040121010221.GA12872@riva.ucam.org> <20020704044253.49EFC58000A@fabulous.u--3.com> <handler.151877.D151877.107468110232531.notifdone@bugs.debian.org>

hello,
| It's perhaps true that the message above was added too early in
| OpenSSH's life cycle. However, in my opinion and in the opinion of other
| SSH implementors I've talked to, it's no longer sensible to recommend
| SSH 1 over SSH 2. The latter is simply a better-designed protocol, with
| support for extensions that wasn't remotely present in SSH 1, and by now
| it's been quite thoroughly audited. The relative rarity of reported SSH
| 1-only vulnerabilities is simply because it's no longer attracting much
| in the way of audit *at all* compared with SSH 2.
| 
| I think we're giving the right advice.

i cannot present any evidence about auditing, so i won't argue with this.

another thing: enabling both protocols at once of course increases the
"area" of the potentially vulnerable protocol interface. if the user
requires the use of v1 for compatibility, there should be an option
to enable v1 only.

  -- erno

Reply to:

Follow-Ups:
- Bug#151877: acknowledged by developer (Re: ssh: bad advice from debconf)
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#222382: ssh: warn user about a telnet session
Next by Date: Bug#228242: Update for the spanish debconf translation
Previous by thread: Bug#151877: marked as done (ssh: bad advice from debconf)
Next by thread: Bug#151877: acknowledged by developer (Re: ssh: bad advice from debconf)
Index(es):
- Date
- Thread