Subject: Re: Proposal: Disable SSHd Protocol v1 by Default (WAS: Re: ssh config path change (/etc -> /etc/ssh))
To: Brian A. Seklecki <lavalamp@spiritual-machines.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: netbsd-users
Date: 03/14/2002 14:22:03
On Thu, Mar 14, 2002 at 03:49:39AM -0500, Brian A. Seklecki wrote:
> 
> 	First off, sorry for the cross-post, but I'd like to get developer
> and user opinions & feedback on this one.
[...]
> 
> *) Almost every security advisory related to OpenSSH prior to the recent
> 'off-by-one' and zlib linking issues were related to weaknesses in the
> version 1 protocol.  Even the original ssh developers @cs.hut.fi and
> ssh.com recommend exclusive use of protocol 2 (mailing list posts, etc.)

Uh, I'm sorry, but that's just plain false.  There is one fundamental
vulnerability in the version 1 protocol that's been discovered, ever (and
it's pretty darned obvious!): the use of a CRC instead of a cryptographic
checksum.  There is also a serious problem with the RC4 cipher, to which
there's a simple solution: don't use it.  There have also been some timing
and other clever attacks on the protocol, but guess what?  They work just
as well against the version 2 protocol.

There have been *dozens* of security holes *in the original Ylonen SSH
implementation*, which needless to say have shown up in its progeny, the
F-Secure, OpenSSH, and SSH.COM implementations, but they haven't been
protocol related; generally they have been simple examples of bad 
programming practice.

There are good reasons to use the version 2 SSH protocol, but your
reasoning about what they are relies upon a false premise.  Try again.

It's also noteworthy that at least one of the common SSHv2 implementations
(OpenSSH) exhibits pathological interactions between its flow-control and
a number of popular applications, for example rsync.  That's a serious
issue that needs to be addressed before it will be reasonable to use that
particular v2 implementation as a transport for those applications.

Thor