Re: Kerberos security vulnerability in SSH-1.2.27

[atossava () CC HELSINKI FI (Atro Tossavainen)]

Dear Jake,

> Just posting to note that there is indeed a ssh-1.2.28 release, but lo!
> also a 1.2.29.

And now, also a 1.2.30. This fixes bugs reported ages ago:

* the server accepting unsupported ciphers (notably "none") if so
  requested by clients, even though the server itself wasn't compiled
  with "--with-none";

* a syslog handle hogging bug that would cause problems on large
  multi-user IRIX machines;

* and another bug that would sometimes truncate scp transfers.

The license issues remain as you said.

> Question for the Group: isn't the version 1.x license the only reason for
> the 1.5 protocol's continued use? (aside from compatibility reasons,
> which could probably be cleaned up were it not for the ver 2.x license)

Compatibility reasons indeed. For example, there is no AFS support for
2.x. I am aware of the fact that the support in 1.x is third-party.

Are there other free SSH2 clients than OpenSSH? Particularly, anything
for anything else but UNIX? That might also be an issue.

--
Atro Tossavainen (Mr.), Systems Analyst, contact info at URL, +358-9-19158939
The Institute of Biotechnology at the University of Helsinki, Finland employs
me, but my opinions are my own. They are welcome to them, if they want them.
< URL : http : / / www . iki . fi / atro . tossavainen / >