Re: SSH
Benjamin Pharr wrote:
>
> While logging into my Debian box using ssh I noticed that it is setup to
> use SSH version 1 by default. This protocol is widely known to have
> security problems. Does anyone know why Debian is still using it? Below I
> have pasted a link from the official ssh.org FAQ.
and which security "problems" are you referring to? i read every bugtraq
posting and have found nothing about ssh1. there is a new sniffer out
there
that can do a man-in-the-middle attack, but that is not a protocol
problem
it is an administrative problem(as was pointed out many times on
bugtraq).
and that sniffer will eventually be able to sniff ssh2 as well, but
again
it's not a protocol security problem. same goes for SSL. debian's
default
configuration immediatly drops connection to a host who's key has
changed
you have to go into the known_hosts and delete it manually. if you do
that and get caught by a sniffer its your own damn fault :)
if there are other security problems that have been uncovered in the
past
year(there are a couple that are older but that was long before openssh
even begun)..id like to know.
nate
--
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org
Reply to:
- Follow-Ups:
- Re: SSH
- From: Henrique M Holschuh <hmh@debian.org>
- References:
- SSH
- From: Benjamin Pharr <benpharr@freedom2000net.com>