FYI: SSH1 now disabled at compile-time by default

Michael Felt aixtools at gmail.com
Thu Apr 2 00:40:36 AEDT 2015


Ok - thanks. stunnel is something 'useful' to study. Hopefully I will not
have to hit my head against the wall too often.

That said - is there (an official) way to disable ssh1 in the server
(e.g.,  --without-ssh1          Disable support for SSH protocol 1) but
keep support in the client?

That is how I would like to package it as of today.

And I expect, (read hope) that even though support is compiled in, I could
still disable it - by default - in the client via ssh_config.

Michael

p.s. Hubert - my apologies for the double send, forgot reply-to-all.

On Wed, Apr 1, 2015 at 3:05 PM, Hubert Kario <hkario at redhat.com> wrote:

> On Wednesday 01 April 2015 14:37:59 Michael Felt wrote:
> > re: use of a stunnel - how does this turn 40-bit https into >40-bit
> https.
> > Sounds like a man-in-the-middle I do not want to know about (but should
> > learn about just the same - aka the sand is not so deep I can bury my
> head
> > completely :)
>
> Yes, it is literally a "man in the middle", the point is, that this man is
> *you*, and as such, you can trust him, at least as much as you can trust
> the
> server itself
>
> It's the same way a reverse proxy turns a local HTTP server running on port
> 8080 (or any other for that matter) into a proper HTTPS server.
>
>
> Or in other words, it's to turn something like this:
>
>
>
>                                                | trusted network here
>   client            .-,(  ),-.
>    __  _         .-(          )-.            router             server
>   [__]|=|  ---->(    internet    )-------> __________ ------> ____   __
>   /::/|_|  SSLv2 '-(          ).-' SSLv2   [...__...°] SSLv2 |    | |==|
>                      '-.( ).-'                               |____| |  |
>                                                              /::::/ |__|
>
>
>
> into something like this:
>
>                                                | trusted network here
>   client            .-,(  ),-.
>    __  _         .-(          )-.            router             server
>   [__]|=|  ---->(    internet    )-------> __________ ------> ____   __
>   /::/|_| TLS1.2 '-(          ).-' TLS1.2  [...__...°] SSLv2 |    | |==|
>                      '-.( ).-'                  ↑            |____| |  |
>                                              stunnel         /::::/ |__|
>
>
>
> (diagram taken from http://unix.stackexchange.com/a/126638)
> --
> Regards,
> Hubert Kario
> Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>


More information about the openssh-unix-dev mailing list