LinuxSA Mailing list archives

  From: Alan Kennington <akenning@dog.topology.org>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Wed, 20 Dec 2000 13:28:25 +1030

Re: SSH Security (Or Lack Thereof) Article

On Tue, Dec 19, 2000 at 12:43:57PM +1030, David Lloyd wrote:
> 
> 
> * http://www.monkey.org/%7Edugsong/dsniff/
> * http://securityportal.com/cover/coverstory20001218.html
> 
> It looks like it's possible that SSH Protocol 1 isn't secure...

I've been trying to follow this over the last few days.
But all I can make out is that someone has written a tool to
do "person-in-the-middle" attacks, which is precisely what I
thought the server key caching by the client is supposed to
guard against.
And somehow SSH prototcol version 1 is vulnerable but version 2
is not. Sounds simple. But....
When I look at "man sshd", I just find:

    ``has been updated to support ssh protocol 1.5''

So does this mean that my SSH software is vulnerable?
Are there config file parameters which can be set to
force the non-use of the more vulnerable version 1 protocol?

I can't find (yet) anywhere any info on what specific actions
one has to take to minimise the threat.
How would I know what protocol I'm using now?
Do I have to download and rebuild SSH  etc. again (again).

Thanks in advance for any good advice.
Cheers,
Alan Kennington.

PS. Please send any flames to me personally.
I have a suitable device driver for this purpose.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject