FYI: SSH1 now disabled at compile-time by default
Michael Felt
aixtools at gmail.com
Thu Apr 2 00:40:36 AEDT 2015
Ok - thanks. stunnel is something 'useful' to study. Hopefully I will not
have to hit my head against the wall too often.
That said - is there (an official) way to disable ssh1 in the server
(e.g., --without-ssh1 Disable support for SSH protocol 1) but
keep support in the client?
That is how I would like to package it as of today.
And I expect, (read hope) that even though support is compiled in, I could
still disable it - by default - in the client via ssh_config.
Michael
p.s. Hubert - my apologies for the double send, forgot reply-to-all.
On Wed, Apr 1, 2015 at 3:05 PM, Hubert Kario <hkario at redhat.com> wrote:
> On Wednesday 01 April 2015 14:37:59 Michael Felt wrote:
> > re: use of a stunnel - how does this turn 40-bit https into >40-bit
> https.
> > Sounds like a man-in-the-middle I do not want to know about (but should
> > learn about just the same - aka the sand is not so deep I can bury my
> head
> > completely :)
>
> Yes, it is literally a "man in the middle", the point is, that this man is
> *you*, and as such, you can trust him, at least as much as you can trust
> the
> server itself
>
> It's the same way a reverse proxy turns a local HTTP server running on port
> 8080 (or any other for that matter) into a proper HTTPS server.
>
>
> Or in other words, it's to turn something like this:
>
>
>
> | trusted network here
> client .-,( ),-.
> __ _ .-( )-. router server
> [__]|=| ---->( internet )-------> __________ ------> ____ __
> /::/|_| SSLv2 '-( ).-' SSLv2 [...__...°] SSLv2 | | |==|
> '-.( ).-' |____| | |
> /::::/ |__|
>
>
>
> into something like this:
>
> | trusted network here
> client .-,( ),-.
> __ _ .-( )-. router server
> [__]|=| ---->( internet )-------> __________ ------> ____ __
> /::/|_| TLS1.2 '-( ).-' TLS1.2 [...__...°] SSLv2 | | |==|
> '-.( ).-' ↑ |____| | |
> stunnel /::::/ |__|
>
>
>
> (diagram taken from http://unix.stackexchange.com/a/126638)
> --
> Regards,
> Hubert Kario
> Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>
More information about the openssh-unix-dev
mailing list