Re: SSH

To: Benjamin Pharr <benpharr@freedom2000net.com>
Cc: debian-user@lists.debian.org
Subject: Re: SSH
From: Nate Amsden <aphro@portal.aphroland.org>
Date: Thu, 18 Jan 2001 07:53:32 -0800
Message-id: <[🔎] 3A67117C.56437FC5@portal.aphroland.org>
References: <[🔎] 4.2.2.20010118025939.00b3eac0@mail.freedom2000net.com>

Benjamin Pharr wrote:
> 
> While logging into my Debian box using ssh I noticed that it is setup to
> use SSH version 1 by default.  This protocol is widely known to have
> security problems.  Does anyone know why Debian is still using it?  Below I
> have pasted a link from the official ssh.org FAQ.

and which security "problems" are you referring to? i read every bugtraq
posting and have found nothing about ssh1. there is a new sniffer out
there
that can do a man-in-the-middle attack, but that is not a protocol
problem
it is an administrative problem(as was pointed out many times on
bugtraq).
and that sniffer will eventually be able to sniff ssh2 as well, but
again
it's not a protocol security problem. same goes for SSL. debian's
default
configuration immediatly drops connection to a host who's key has
changed
you have to go into the known_hosts and delete it manually. if you do
that and get caught by a sniffer its your own damn fault :)

if there are other security problems that have been uncovered in the
past
year(there are a couple that are older but that was long before openssh
even begun)..id like to know.

nate

-- 
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org

Reply to:

Follow-Ups:
- Re: SSH
  - From: Henrique M Holschuh <hmh@debian.org>

References:
- SSH
  - From: Benjamin Pharr <benpharr@freedom2000net.com>

Prev by Date: Re: re cdrw
Next by Date: Fwd: Farai Please Give Some Feedback
Previous by thread: SSH
Next by thread: Re: SSH
Index(es):
- Date
- Thread