Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSH 1 Why?
From: laven.data () IMAGE DK (Emil S Hansen)
Date: Thu, 16 Dec 1999 18:33:00 +0100

What you are missing is the following: upgrading to SSH 2
implies upgrading to
version 2 of the protocol, in order to prevent the
abovementioned problem you
can no longer support compatibility with version 1.x of the
protocol. So you
have to update all your SSH servers and clients.

Not true. If you have ssh1 installed, and you compile ssh2, ssh2
maintains version1 protocol compatibility, which means you can still
connect to a ssh2 sshd with a ssh1 client.

No, that is (AFAIK) not true. sshd2 uses sshd1 for compatility with older
ssh1 clients, so you have to have sshd1 installed to use the compatility
mode of sshd2 (which just spawns sshd1 if it sees an incomming ssh1

EG. sshd2 will spawn (vulnarble) sshd1 when a SSH1 connection is made.

This might be a valid point. But upgrading *all* clients to
ssh2 is not
nessesary. You can still maintain ssh1 compatibility.

Yes, at the cost of NOT bieng safe. You are still running the old unsecure
version, but now you are just running it along a safe version.

But since when is it a option to have unsafe software installede when there
is a safe alternative? most WinXX clients support both SSH1 and SSH2 now a
days, and a quick compile of ssh2 on most unix boxes is sure worth the time
compared to the risk of having sshd1 running!

I just don't see anything that justifies running a unsafe pice of software
on a production system.


        Emil S Hansen
        laven.data () image dk
        UIN: 15749535 & 45621049

Version: 3.1
GED d- s+:- a-- C++ UL++++ P+ L+++ E W++ N++ o K- w+ O- M-- V- PS+ PE-- Y+
PGP+ t- 5+ X++ R* tv- b++ DI++ D++
G e h r y+

  By Date           By Thread  

Current thread:
  • Re: SSH 1 Why? Emil S Hansen (Dec 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]