Re: SSH Vulnerability
From: Nico Kadel-Garcia (nkadel@bellatlantic.net)Date: 02/25/02
- Previous message: Fao, Sean: "SSH Question"
- In reply to: Markus Friedl: "Re: SSH Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net> Date: Mon, 25 Feb 2002 00:06:01 GMT
"Markus Friedl" <msfriedl@cip.informatik.uni-erlangen.de> wrote in message
news:a5b64n$rtb$1@rznews2.rrze.uni-erlangen.de...
> In <3C78F9D1.F5452310@123.net> William Webb <wwebb@123.net> writes:
>
> >Aside from switching to SSH2 to avoid the SSH1 vulnerability --
> >http://www.kb.cert.org/vuls/id/945216 I have noticed that since I
>
> generally, switching protocols does not solve problems.
>
> it's better to upgrade broken software.
Yeah. Almost all reports of "the SSH1 vulnerability" are traceable back to
the buffer overflow, which is not an SSH1 protocol problem but a software
mistake, that was corrected in OpenSSH many, many moons ago. There is *no*
proof that SSH2 doesn't have similar errors, and all published versions of
SSH servers corrected it some time ago as well.
Now, ssh.com is happy to get people off of SSH1. SSH2 was created for a
number of reasons, partly to address some SSH1 missing software features but
primarily, IMHO, to get away from the patented RSA protocol. Well, the RSA
patent has expired: The main reason now to use SSH2 is because someone you
work with likes it, or you like the sftp software. I don't: any "ftp" server
that can't handle "ls -lR" or "mget *.c" needs to be renamed the
"Only_Useful_With_A_GUI_Secure_FTP_", or OUWAGUISFTP for short. If you can
spell it, you can use it....
- Previous message: Fao, Sean: "SSH Question"
- In reply to: Markus Friedl: "Re: SSH Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
