[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: ssh protocol 2,1



It's a leftover from when v2 was new - it allowed backwards
compatibility out of the box.

It's probably just hindsight that no one's taken out the "1", yet... 

-----Original Message-----
From: redhat-list-bounces redhat com
[mailto:redhat-list-bounces redhat com] On Behalf Of Bill Tangren
Sent: Tuesday, June 20, 2006 1:27 PM
To: General Red Hat Linux discussion list
Subject: Re: ssh protocol 2,1

Mike Burger wrote:
> On Tue, 20 Jun 2006, Bill Tangren wrote:
> 
>> I have a question regarding ssh on RHEL ES4. The man pages indicates 
>> that Protocol 2,1 is enabled by default. Could someone explain the 
>> logic of this to me? I thought Protocol 1 had a security flaw.
> 
> 
> That would cause SSHD to require protocol 2, first, then fall back to 
> protocol 1 if the client isn't protocol 2 capable.
> 
> If you want to restrict sshd to just protocol 2, remove the ",1".
> --
> Mike Burger
> http://www.bubbanfriends.org
> 

 From the man page for sshd_config:
**********
Protocol
Specifies the protocol versions ssh supports.  The possible values are
"1" and 
"2".  Multiple versions must be comma-separated.  The default is "2,1".
Note 
that the order of the protocol list does not indicate preference,
because the 
client selects among multiple protocol versions offered by the server. 
Specifying "2,1" is identical to "1,2".
**********

This doesn't actually answer my question. If someone *wanted* to exploit
the 
Protocol 1 vulnerability, wouldn't that be easy? [It is a simple
protocol choice 
in Putty, for example.]

There must be a reason for allowing this vulnerability by default. I'd
like to 
know what that reason is.

Thanks for answering, though.

Bill


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]