FYI: SSH1 now disabled at compile-time by default

Dan Kaminsky dan at doxpara.com
Thu Mar 26 04:17:07 AEDT 2015


I think we require ssh -1 to connect to SSHv1, but this is the sort of
thing that can get automated.

I think there's wide consensus on this move for sshd.  The only question is
ssh -1, I think.

On Wed, Mar 25, 2015 at 9:46 AM, Alex Bligh <alex at alex.org.uk> wrote:

>
> On 25 Mar 2015, at 03:15, Christoph Anton Mitterer <calestyo at scientia.net>
> wrote:
>
> > On Wed, 2015-03-25 at 10:26 +1100, Damien Miller wrote:
> >> OpenSSH git master now disabled SSH protocol 1 at compile time by
> >> default. If you want it back, then you'll need to pass --with-ssh1
> >> to configure before you build.
> > +1
> >
> > - People who use SSH are expected to want security (which v1 doesn't
> > provide) - people wo actually don't want security, shouldn't have used
> > SSH in the first place, but could have used rsh, telnet, etc.
>
> +1 for doing it in sshd.
>
> For the client, one issue is that it's not easy for the naive ssh
> user to tell if the equipment they are using supports ssh2 or just
> ssh1. For instance, the user currently using an ssh1-supporting
> ssh client to reach their cisco router doesn't (as I understand it)
> get warned if the cisco router only supports ssh1.
>
> Would one option for the client to be to display a (suppressible)
> 'The server you are connecting to only supports ssh protocol
> version 1 which is potentially insecure, and for which
> support will soon be removed - continue (y/n)' type
> prompt by default? This could continue for a couple of major
> releases.
>
> --
> Alex Bligh
>
>
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>


More information about the openssh-unix-dev mailing list