Bugtraq mailing list archives
Re: SSH 1 Why?
From: core.lists.bugtraq () CORE-SDI COM (Iván Arce)
Date: Thu, 16 Dec 1999 15:28:48 -0300
Emiel Kollof wrote:
Emiliano Kargieman wrote:What you are missing is the following: upgrading to SSH 2 implies upgrading to version 2 of the protocol, in order to prevent the abovementioned problem you can no longer support compatibility with version 1.x of the protocol. So you have to update all your SSH servers and clients.Not true. If you have ssh1 installed, and you compile ssh2, ssh2 maintains version1 protocol compatibility, which means you can still connect to a ssh2 sshd with a ssh1 client.
yes, but thats exactly what you DONT want protocol version 1 (note that i said protocol not ssh) has the problem that Emiliano was refering to, besides being much more modular and clean. If you are really concerned about security you dont want backwards compatibility with a flawed protocol. Therefore, your SSH2 serverrs shouldnt allow v1 connections, therefore you should upgrade the clients as well. This reminds me of the issues related to MS NT and MS win95 authentication... -ivan -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email: iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70, (continued)
- Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70 Jarle Aase (Dec 16)
- sshd1 allows unencrypted sessions regardless of server policy Markus Friedl (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Michael H. Warfield (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Pavel Machek (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy Joseph Moran (Dec 14)
- Re: sshd1 allows unencrypted sessions regardless of server policy David Schwartz (Dec 15)
- SSH-1.2.27 & RSAREF2 exploit Iván Arce (Dec 14)
- SSH 1 Why? Daniel P. Zepeda (Dec 14)
- Re: SSH 1 Why? Emiliano Kargieman (Dec 15)
- Re: SSH 1 Why? Emiel Kollof (Dec 15)
- Re: SSH 1 Why? Iván Arce (Dec 16)
- Re: SSH 1 Why? R. J. Wysocki (Dec 18)
- Groupewise Web Interface Sacha Faust Bourque (Dec 19)
- Re: Groupewise Web Interface Raymond Dijkxhoorn (Dec 20)
- Re: Groupewise Web Interface Bayard G. Bell (Dec 21)
- Announcement: Solaris loadable kernel module backdoor plasmoid (Dec 20)
- Re: Announcement: Solaris loadable kernel module backdoor pedward () WEBCOM COM (Dec 21)
- Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
- Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)