FYI: SSH1 now disabled at compile-time by default

Dan Kaminsky dan at doxpara.com
Thu Apr 2 05:13:34 AEDT 2015


It is disabled by default in the client, in the sense that you need to
actually run ssh -1.  If you didn't I'd be on the side of the pitchforks
saying why are we subjecting all these clients to downgrade attack risk.

--Dan


On Wed, Apr 1, 2015 at 6:40 AM, Michael Felt <aixtools at gmail.com> wrote:

> Ok - thanks. stunnel is something 'useful' to study. Hopefully I will not
> have to hit my head against the wall too often.
>
> That said - is there (an official) way to disable ssh1 in the server
> (e.g.,  --without-ssh1          Disable support for SSH protocol 1) but
> keep support in the client?
>
> That is how I would like to package it as of today.
>
> And I expect, (read hope) that even though support is compiled in, I could
> still disable it - by default - in the client via ssh_config.
>
> Michael
>
> p.s. Hubert - my apologies for the double send, forgot reply-to-all.
>
> On Wed, Apr 1, 2015 at 3:05 PM, Hubert Kario <hkario at redhat.com> wrote:
>
> > On Wednesday 01 April 2015 14:37:59 Michael Felt wrote:
> > > re: use of a stunnel - how does this turn 40-bit https into >40-bit
> > https.
> > > Sounds like a man-in-the-middle I do not want to know about (but should
> > > learn about just the same - aka the sand is not so deep I can bury my
> > head
> > > completely :)
> >
> > Yes, it is literally a "man in the middle", the point is, that this man
> is
> > *you*, and as such, you can trust him, at least as much as you can trust
> > the
> > server itself
> >
> > It's the same way a reverse proxy turns a local HTTP server running on
> port
> > 8080 (or any other for that matter) into a proper HTTPS server.
> >
> >
> > Or in other words, it's to turn something like this:
> >
> >
> >
> >                                                | trusted network here
> >   client            .-,(  ),-.
> >    __  _         .-(          )-.            router             server
> >   [__]|=|  ---->(    internet    )-------> __________ ------> ____   __
> >   /::/|_|  SSLv2 '-(          ).-' SSLv2   [...__...°] SSLv2 |    | |==|
> >                      '-.( ).-'                               |____| |  |
> >                                                              /::::/ |__|
> >
> >
> >
> > into something like this:
> >
> >                                                | trusted network here
> >   client            .-,(  ),-.
> >    __  _         .-(          )-.            router             server
> >   [__]|=|  ---->(    internet    )-------> __________ ------> ____   __
> >   /::/|_| TLS1.2 '-(          ).-' TLS1.2  [...__...°] SSLv2 |    | |==|
> >                      '-.( ).-'                  ↑            |____| |  |
> >                                              stunnel         /::::/ |__|
> >
> >
> >
> > (diagram taken from http://unix.stackexchange.com/a/126638)
> > --
> > Regards,
> > Hubert Kario
> > Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list