[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#151877: acknowledged by developer (Re: ssh: bad advice from debconf)

On Wed, Jan 21, 2004 at 02:44:31PM +0200, Erno Kuusela wrote:
> hello,
> | It's perhaps true that the message above was added too early in
> | OpenSSH's life cycle. However, in my opinion and in the opinion of other
> | SSH implementors I've talked to, it's no longer sensible to recommend
> | SSH 1 over SSH 2. The latter is simply a better-designed protocol, with
> | support for extensions that wasn't remotely present in SSH 1, and by now
> | it's been quite thoroughly audited. The relative rarity of reported SSH
> | 1-only vulnerabilities is simply because it's no longer attracting much
> | in the way of audit *at all* compared with SSH 2.
> | 
> | I think we're giving the right advice.
> 
> i cannot present any evidence about auditing, so i won't argue with this.
> 
> another thing: enabling both protocols at once of course increases the
> "area" of the potentially vulnerable protocol interface. if the user
> requires the use of v1 for compatibility, there should be an option
> to enable v1 only.

There is; it's just not presented by debconf. Not all of OpenSSH's
configuration options are - nor should be - presented by debconf.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: