Bug#151877: marked as done (ssh: bad advice from debconf)
Your message dated Wed, 21 Jan 2004 01:02:22 +0000
with message-id <20040121010221.GA12872@riva.ucam.org>
and subject line ssh: bad advice from debconf
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Jul 2002 04:42:57 +0000
>From erno@fabulous.u--3.com Wed Jul 03 23:42:57 2002
Return-path: <erno@fabulous.u--3.com>
Received: from fabulous.u--3.com [212.50.142.250] (postfix)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17PySG-00015E-00; Wed, 03 Jul 2002 23:42:56 -0500
Received: by fabulous.u--3.com (Postfix, from userid 1000)
id 49EFC58000A; Thu, 4 Jul 2002 07:42:53 +0300 (EEST)
From: Erno Kuusela <erno-debbugs@erno.iki.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: bad advice from debconf
X-Mailer: reportbug 1.50
Date: Thu, 04 Jul 2002 07:42:53 +0300
Message-Id: <20020704044253.49EFC58000A@fabulous.u--3.com>
Delivered-To: submit@bugs.debian.org
Package: ssh
Version: 1:3.4p1-0.0woody1
Severity: normal
Tags: security
debconf says:
lqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Ssh tqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x x
x This version of OpenSSH supports version 2 of the ssh protocol, which x
x is much more secure. Disabling ssh 1 is encouraged, however this will x
x slow things down on low end machines and might prevent older clients x
x from connecting (the ssh client shipped with "potato" is affected). x
...
from past experience, this is debatable to put it mildly. both the the
latest and the zlib vulnerabilities affect protocol 2 only. it apperas
to be more complex than protocol 1 and the code is less mature, both
contributing to bug proneness.
it should ask, "Allow protocol 1 only?".
there are no major problems with the security of protocol 1 as currently
implemented in openssh as far as i know.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux fabulous 2.4.19-pre3-ac3 #6 Sat Mar 30 03:44:11 EET 2002 i686
Locale: LANG=C, LC_CTYPE=fi_FI
Versions of packages ssh depends on:
ii adduser 3.47 Add and remove users and groups
ii debconf 1.0.32 Debian configuration management sy
ii libc6 2.2.5-6 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
ii libssl0.9.6 0.9.6c-2 SSL shared libraries
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.4-1 compression library - runtime
---------------------------------------
Received: (at 151877-done) by bugs.debian.org; 21 Jan 2004 10:31:42 +0000
>From cjwatson@flatline.org.uk Wed Jan 21 02:31:42 2004
Return-path: <cjwatson@flatline.org.uk>
Received: from chiark.greenend.org.uk [193.201.200.170] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AjFeA-0008Rz-00; Wed, 21 Jan 2004 02:31:42 -0800
Received: from [192.168.124.112] (helo=riva.lab.dotat.at)
by chiark.greenend.org.uk (Debian Exim 3.35 #1) with esmtp
for 151877-done@bugs.debian.org
id 1AjFe8-00088h-02; Wed, 21 Jan 2004 10:31:41 +0000
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
for 151877-done@bugs.debian.org
id 1Aj6lC-0003Ma-00; Wed, 21 Jan 2004 01:02:22 +0000
Date: Wed, 21 Jan 2004 01:02:22 +0000
From: Colin Watson <cjwatson@debian.org>
To: 151877-done@bugs.debian.org
Subject: Re: ssh: bad advice from debconf
Message-ID: <20040121010221.GA12872@riva.ucam.org>
References: <20020704044253.49EFC58000A@fabulous.u--3.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020704044253.49EFC58000A@fabulous.u--3.com>
User-Agent: Mutt/1.3.28i
Delivered-To: 151877-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_01_20
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=0.8 required=4.0 tests=DATE_IN_PAST_06_12
autolearn=no version=2.60-bugs.debian.org_2004_01_20
X-Spam-Level:
On Thu, Jul 04, 2002 at 07:42:53AM +0300, Erno Kuusela wrote:
> Package: ssh
> Version: 1:3.4p1-0.0woody1
> Severity: normal
> Tags: security
>
> debconf says:
>
> lqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Ssh tqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
> x x
> x This version of OpenSSH supports version 2 of the ssh protocol, which x
> x is much more secure. Disabling ssh 1 is encouraged, however this will x
> x slow things down on low end machines and might prevent older clients x
> x from connecting (the ssh client shipped with "potato" is affected). x
> ...
>
> from past experience, this is debatable to put it mildly. both the the
> latest and the zlib vulnerabilities affect protocol 2 only. it apperas
> to be more complex than protocol 1 and the code is less mature, both
> contributing to bug proneness.
>
> it should ask, "Allow protocol 1 only?".
>
> there are no major problems with the security of protocol 1 as currently
> implemented in openssh as far as i know.
It's perhaps true that the message above was added too early in
OpenSSH's life cycle. However, in my opinion and in the opinion of other
SSH implementors I've talked to, it's no longer sensible to recommend
SSH 1 over SSH 2. The latter is simply a better-designed protocol, with
support for extensions that wasn't remotely present in SSH 1, and by now
it's been quite thoroughly audited. The relative rarity of reported SSH
1-only vulnerabilities is simply because it's no longer attracting much
in the way of audit *at all* compared with SSH 2.
I think we're giving the right advice.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: