Re: SSHv1 vs SSHv2

From: Carl Holtje (cwh0803_at_cs.rit.edu)
Date: 11/20/03

• Next message: memacro: "Problem about SSH traffic statistics"
• Previous message: Darren Dunham: "Re: Forcing SSH to timout after a certain time if it isn't responding"
• In reply to: Rob Stampfli: "SSHv1 vs SSHv2 (was: SSH vs Telnet?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 19 Nov 2003 18:07:30 -0500

Here's a small collection of some deadly vulnerabilities of SSHv1:

http://www.kb.cert.org/vuls/id/684820

http://www.kb.cert.org/vuls/id/850440

http://www.kb.cert.org/vuls/id/19124

More can be found, along with a bunch of other nifty insights into SSH
at http://www.cert.org/ with a search of 'SSH v1'...

The short of these is that SSHv1 is not as secure as you'd like, and
SSHv2+ is; so don't use v1.. :)

Enjoy..

Carl

Rob Stampfli wrote:
> In article <3fba15d2$1@buckaroo.cs.rit.edu>,
> Carl Holtje <cwh0803@cs.rit.edu> wrote:
>
>>When in doubt, USE SSH!!!.. and not SSHv1...
>
>
> I know the conventional wisdom is that there are problems,
> or at least deficiencies, with SSHv1, but I have been unable
> to find any specifics as to why SSHv1 should be avoided on
> the internet. Rather, it always appears as convention wisdom.
>
> I realize there have been certain bugs in some implementations
> of the original protocol that these have been resolved in the
> latest releases. I allow SSHv1 on my servers, and I often
> use it.
>
> Can someone explain with clear and convincing evidence just
> what is wrong with SSHv1, and, if there are real deficiencies,
> just how serious they are? For instance, has anyone ever
> successfully broken an SSHv1 session entirely through a
> cryptonanalytic approach, or by simply analyzing the traffic
> on a link?
>
> Thanks in advance,
> Rob

-- 
"There are 10 types of people in the world: Those who understand binary
and those that don't."
$>whoami: Carl Holtje
$>mail holtje: cwh0803@cs.rit.edu
$>cu: http://www.cs.rit.edu/~cwh0803
$>whois holtje:
   System Administrator Group
   Computer Science Department
   Rochester Institute of Technology
$>

• Next message: memacro: "Problem about SSH traffic statistics"
• Previous message: Darren Dunham: "Re: Forcing SSH to timout after a certain time if it isn't responding"
• In reply to: Rob Stampfli: "SSHv1 vs SSHv2 (was: SSH vs Telnet?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: SSHv1 vs SSHv2 (was: SSH vs Telnet?) ... Rob Stampfli writes: ... >I know the conventional wisdom is that there are problems, ... >or at least deficiencies, with SSHv1, but I have been unable ... (comp.security.ssh) SSHv1 vs SSHv2 (was: SSH vs Telnet?) ... Carl Holtje wrote: ... I know the conventional wisdom is that there are problems, ... or at least deficiencies, with SSHv1, but I have been unable ... what is wrong with SSHv1, and, if there are real deficiencies, ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint