Re: [rootshell] Security Bulletin #25

["Roeland M.J. Meyer" <rmeyer () mhsc com>]

At 08:09 PM 11/3/98 -0500, Richard Steenbergen wrote:
> > Well, seeing how 2.0 is actually a commercial product and supposedly
> > re-written, I can see why they'd want to sell it.  If you want to run ssh
> > and don't want to pay for it, you're stuck with the 1.x version.  Those
> > that can pay do, and those that don't whine for some reason.  It's not
> > like you couldn't take the source to 1.2.26 and alter it now, is it?
>
> Have you ever stopped to look at the src to 2.0? Large portions of it is
> unfinished. Hell the only symetric ciphers they have are DES (do we even
> have to go here), RC4 (a stream cipher that has been implimented wrong in
> SSH before), and Mars (an AES candidate from IBM which has known attacks
> against it).

We plopped v1.2.21 into production over a year (Aug97) ago. We use the
F-secure WinNT client. We have not seen compelling reason to upgrade.
Insignificat additional features and huge risk that our WinNT clients would
also have to be upgraded. I am not aware of published exploits against this
version, or higher, of SSH.

We have been watching more recent version have their problems. Recently it
has been the 2.x series. We feel quite justified in using what works, in
production.
___________________________________________________ 
Roeland M.J. Meyer, ISOC (InterNIC RM993) 
e-mail: <mailto:rmeyer () mhsc com>rmeyer () mhsc com
Internet phone: hawk.mhsc.com
Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer
Company web-site: <http://www.mhsc.com/>www.mhsc.com/
___________________________________________ 
I bet the human brain is a kludge.
                -- Marvin Minsky