Re: Why does openssh protocol default to 2?

From: Jan Conrad (conrad@th.physik.uni-bonn.de)
Date: 02/18/01


Date: Sun, 18 Feb 2001 17:03:59 +0100 (CET)
From: Jan Conrad <conrad@th.physik.uni-bonn.de>
To: <cjclark@alum.mit.edu>

On Sat, 17 Feb 2001, Crist J. Clark wrote:

> On Fri, Feb 16, 2001 at 03:49:04PM +0100, Jan Conrad wrote:
>
> [snip]
>
> > What I would find reasonable is something like an .shosts mechanism for
> > ssh2 or, better, but more complicated, having the keys themselves
> > encrypted by some private key of the machine. Why should a user have
> > access to a plain key?
>
> OK, I am still not understanding why you believe SSH1 has advantages
> over SSH2 when a user has NFS mounted home directories. The real
> vulnerability to SSHx with NFS home directories is the threat that an
> attacker may write to .ssh/authorized_keys*. If you can write to that
> file, you can write to .shosts or .rhosts.
>
> What attack is SSH2 vulnerable to which SSH1 is not?

So in conclusion, simply the whole contents of the .ssh dir must not
appear on NFS shares. Then SSH2 is the only choice, I agree.

Thanks for all you comments
regards
        Jan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message