Bugtraq mailing list archives
Re: SSH 1 Why?
From: laven.data () IMAGE DK (Emil S Hansen)
Date: Thu, 16 Dec 1999 18:33:00 +0100
What you are missing is the following: upgrading to SSH 2implies upgrading toversion 2 of the protocol, in order to prevent theabovementioned problem youcan no longer support compatibility with version 1.x of theprotocol. So youhave to update all your SSH servers and clients.Not true. If you have ssh1 installed, and you compile ssh2, ssh2 maintains version1 protocol compatibility, which means you can still connect to a ssh2 sshd with a ssh1 client.
No, that is (AFAIK) not true. sshd2 uses sshd1 for compatility with older ssh1 clients, so you have to have sshd1 installed to use the compatility mode of sshd2 (which just spawns sshd1 if it sees an incomming ssh1 connection). EG. sshd2 will spawn (vulnarble) sshd1 when a SSH1 connection is made.
This might be a valid point. But upgrading *all* clients to ssh2 is not nessesary. You can still maintain ssh1 compatibility.
Yes, at the cost of NOT bieng safe. You are still running the old unsecure version, but now you are just running it along a safe version. But since when is it a option to have unsafe software installede when there is a safe alternative? most WinXX clients support both SSH1 and SSH2 now a days, and a quick compile of ssh2 on most unix boxes is sure worth the time compared to the risk of having sshd1 running! I just don't see anything that justifies running a unsafe pice of software on a production system. Mvh. Emil S Hansen laven.data () image dk UIN: 15749535 & 45621049 -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GED d- s+:- a-- C++ UL++++ P+ L+++ E W++ N++ o K- w+ O- M-- V- PS+ PE-- Y+ PGP+ t- 5+ X++ R* tv- b++ DI++ D++ G e h r y+ ------END GEEK CODE BLOCK------
Current thread:
- Re: SSH 1 Why? Emil S Hansen (Dec 16)