FYI: SSH1 now disabled at compile-time by default

Alex Bligh alex at alex.org.uk
Thu Mar 26 03:46:47 AEDT 2015


On 25 Mar 2015, at 03:15, Christoph Anton Mitterer <calestyo at scientia.net> wrote:

> On Wed, 2015-03-25 at 10:26 +1100, Damien Miller wrote: 
>> OpenSSH git master now disabled SSH protocol 1 at compile time by
>> default. If you want it back, then you'll need to pass --with-ssh1
>> to configure before you build.
> +1
> 
> - People who use SSH are expected to want security (which v1 doesn't
> provide) - people wo actually don't want security, shouldn't have used
> SSH in the first place, but could have used rsh, telnet, etc.

+1 for doing it in sshd.

For the client, one issue is that it's not easy for the naive ssh
user to tell if the equipment they are using supports ssh2 or just
ssh1. For instance, the user currently using an ssh1-supporting
ssh client to reach their cisco router doesn't (as I understand it)
get warned if the cisco router only supports ssh1.

Would one option for the client to be to display a (suppressible)
'The server you are connecting to only supports ssh protocol
version 1 which is potentially insecure, and for which
support will soon be removed - continue (y/n)' type
prompt by default? This could continue for a couple of major
releases.

-- 
Alex Bligh




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150325/c2af731e/attachment.bin>


More information about the openssh-unix-dev mailing list