Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH 1 Why?
From: core.lists.bugtraq () CORE-SDI COM (Emiliano Kargieman)
Date: Wed, 15 Dec 1999 16:34:27 -0300

"Daniel P. Zepeda" wrote:

        I've seen a lot of discussion about SSH 1 on this list. I read
somewhere that even the authors of SSH recommended that SSH1 *not* be used
anymore because there were some major holes in it, and that anybody
serious should upgrade to SSH2. What am I missing here?

The short answer: theres a hughe installed base of SSH 1.

The long one:

Well, there is a problem in the way SSH protocol version 1.x (implemented in
versions 1.x of the SSH software packages) handles integrity checking of the
encrypted channel, that could allow an attacker to insert arbitrary commands
to be executed on the server. This problem is inherent to the protocol and
although there are ways to detect this attack, an upgrade of the protocol is
recommended. See
199806120125.WAA05406 () takeover core com 
ar">http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-06-08&msg=199806120125.WAA05406 () takeover 
core com ar</A>

What you are missing is the following: upgrading to SSH 2 implies upgrading to
version 2 of the protocol, in order to prevent the abovementioned problem you
can no longer support compatibility with version 1.x of the protocol. So you
have to update all your SSH servers and clients.
In the real world (somewhere around here?) updating all this clients takes can
take a long time, so even if you are upgrading to version 2 you need to keep
backwards compatibility for a while... that means, any problems found in SSH 1
still concern a lot of people (see the short answer for details).


Emiliano Kargieman <ek () core-sdi com>
Director de Investigacion - CoreLabs - Core-SDI S.A.

--- For a personal reply use emiliano_kargieman () core-sdi com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]