Subject: Re: Proposal: Disable SSHd Protocol v1 by Default (WAS: Re: ssh
To: Brian A. Seklecki <lavalamp@spiritual-machines.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 03/14/2002 15:24:19
[ On Thursday, March 14, 2002 at 14:38:03 (-0500), Brian A. Seklecki wrote: ]
> Subject: Re: Proposal: Disable SSHd Protocol v1 by Default (WAS: Re: ssh  config path change (/etc -> /etc/ssh))
>
> On Thu, 14 Mar 2002, Thor Lancelot Simon wrote:
> >
> > There are good reasons to use the version 2 SSH protocol, but your
> > reasoning about what they are relies upon a false premise.  Try again.
> >
> 
> Everything credible I've read indicates that the most secure
> implementation involves exclusive use of protocol 2, DSA keys (empty
> passphrase or not), disabling superfluous features like 'PermitRootLogin',
> 'PermitEmptyPasswords', X/11 forwarding, and of course, ACL's, either via
> libwrap or ipf limiting which hosts can connect.

There are some nifty new features and controls in the new SSH.COM
implementation, and it is very much a re-implementation of at least
large parts of the original code, which has hopefully helped squash
quite a number of the many bugs in the original implementation (which
OpenSSH among others are derived from).

Personally for me the one huge advantage of the v2 protocol is the
better (i.e. the actual possibility of) proper flow control.  For me the
original protocol was seriously flawed in this regard, and fatally so
for many applications.  For interactive use I find the ability to pause
or interrupt volumes of output spewing from some program (eg. when I do
a "grep" without piping it to the pager and it spews far more than I
expect) is imensely valuable.  The fact that chatty protocols like CVS,
X11, rsync, etc. actually work correctly through SSH tunnels even in the
face of conjestion and packet loss is a major improvement too.  It is
sad for me to learn that OpenSSH has botched flow control support in its
v2 implementation (though it makes me thankful for the choice I made to
not use OpenSSH! :-).

As for disabling v1 support, well I've done that for my servers, and now
with SSH-v3.0 and newer there's internal emulation of the v1 client
protocol so my new clients can still talk to devices running older
servers that cannot be as easily upgraded.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>