Subject: Re: RE: VERY slow ssh logins to uVAX
To: None <port-vax@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: port-vax
Date: 05/05/2005 20:16:40
>>> However if you do insist on trying to run SSH on slow hardware like
>>> a uVAX then SSH-3.2.9.1 or similar is probably your best bet
>> I hadn't thought anything beyond version 2 had a spec yet even in
>> the form of I-Ds. What am I missing?
> SSH-3.x is just the latest public release of software from ssh.com,
> and it (fully?) implements the SSHv2 protocol.
...ah, a name for an implementation rather than a protocol.
No, I won't run anything from ssh.com. Since they went commercial I
simply don't trust them enough.
>> The only attacks [against ssh1] I know of against ssh1 are either
>> implementation attacks against late implementations of it or
>> social-engineering attacks such as the MitM attack on first
>> connections. Or, of course, attacks directly on the crypto itself,
>> such as attempts to factor RSA moduli. What am I missing?
> That's not enough? ;-)
No. I run an old implementation, old enough that as far as I know none
of the implementation attacks like buffer overflows apply. Social
engineering attacks - well, I think I know enough about them, and am
paranoid enough in general, that they won't work against me. (I
certainly pay attention to changed-host-key warnings, and *never* use
ssh's password authentication.) As for crypto attacks...what do you
know that I don't but should? :-)
> I'm not sure if you include this one in your list:
> [...]
> http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
That falls into the "implementation attacks against late
implementations" category.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B