Bug#151877: acknowledged by developer (Re: ssh: bad advice from debconf)
On Wed, Jan 21, 2004 at 02:44:31PM +0200, Erno Kuusela wrote:
> hello,
> | It's perhaps true that the message above was added too early in
> | OpenSSH's life cycle. However, in my opinion and in the opinion of other
> | SSH implementors I've talked to, it's no longer sensible to recommend
> | SSH 1 over SSH 2. The latter is simply a better-designed protocol, with
> | support for extensions that wasn't remotely present in SSH 1, and by now
> | it's been quite thoroughly audited. The relative rarity of reported SSH
> | 1-only vulnerabilities is simply because it's no longer attracting much
> | in the way of audit *at all* compared with SSH 2.
> |
> | I think we're giving the right advice.
>
> i cannot present any evidence about auditing, so i won't argue with this.
>
> another thing: enabling both protocols at once of course increases the
> "area" of the potentially vulnerable protocol interface. if the user
> requires the use of v1 for compatibility, there should be an option
> to enable v1 only.
There is; it's just not presented by debconf. Not all of OpenSSH's
configuration options are - nor should be - presented by debconf.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: