Benjamin Pharr wrote: > > While logging into my Debian box using ssh I noticed that it is setup to > use SSH version 1 by default. This protocol is widely known to have > security problems. Does anyone know why Debian is still using it? Below I > have pasted a link from the official ssh.org FAQ.
and which security "problems" are you referring to? i read every bugtraq posting and have found nothing about ssh1. there is a new sniffer out there that can do a man-in-the-middle attack, but that is not a protocol problem it is an administrative problem(as was pointed out many times on bugtraq). and that sniffer will eventually be able to sniff ssh2 as well, but again it's not a protocol security problem. same goes for SSL. debian's default configuration immediatly drops connection to a host who's key has changed you have to go into the known_hosts and delete it manually. if you do that and get caught by a sniffer its your own damn fault :) if there are other security problems that have been uncovered in the past year(there are a couple that are older but that was long before openssh even begun)..id like to know. nate -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]