It seems that this discussion has been due to an over-zealous sysadmin. If one will check the Nessus documentation (mailing lists), such "false positives" have been throughly debated. Many of the scan scripts (nasl plugins) only check version numbers. Owing to this paradigm, nessus outputs warnings in the log file concerning such false indicators. I have recently run the latest experimental (cvs) release of Nessus against Potato. A security-hole is indicated along with a **Warning** of a possible false positive.
The only way to fix the false positive problem would be to have Nessus actually crack the target. This idea is greatly frowned upon! Bottom line is that Potato ssh is secure relative to the CRC 32 compensation attack. You might inform your sysadmin to check the Nessus mailing list archive or subscribe to it. Albeit, VERY nicely though! :p -Walter [EMAIL PROTECTED]
