Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 13:05:57 Craigsc wrote: > How do you disable ssh1 protocol with the current > ssh on potato ?>> I may be very wrong here as I've only been using Debian for 3 days now, but as far as I can see the current sshd on potato only supports ssh1 protocol. That's why I removed the package and self-compiled the latest sources from www.openssh.org to ensure I had only ssh2 protocol compiled in. I've had a box compromised through the ssh1 CRC32 vulnerability once, I'm not going to let it happen again! Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace & Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELbYWByUNb+aO+GEQL/FACeMwMQY9nvTPpORPRdKpd6X5ret8EAoIcI 966spRQfdUFlD2D8KHY8TAN/ =9qaj -END PGP SIGNATURE-
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote: >> Have I missed something and was I already OK, or is the current stable >> potato release shipping with a potential ssh security hole? > AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need > to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, > as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Is there any way to find out what flavour of Debian I have which is more detailed than this: [EMAIL PROTECTED]:~$ cat /etc/debian_version 2.2 Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace & Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELMV2ByUNb+aO+GEQJQ9gCgi8S43E7EeimjmNgVxdVQ0lIcBcgAoNxK VUCUJvFQB8mjDD47v4eFyyly =6JW1 -END PGP SIGNATURE-
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote: TS> Not if your SSH daemon is up to date :-) Is the SSHD in the latest potato fully up-to-date, though? I am a very recent convert to Debian, having been an avid Slackware fan for the last seven years. However one of my (very old) Slack boxen was compromised on Christmas Day via the sshd CRC32 vulnerability and I decided to replace it with Debian, a distro which has seriously impressed me. Not wanting the same problem to reoccur, after installation & configuration I checked my version of sshd. As far as I could ascertain the sshd which comes with the current potato release is OpenSSH 1.something (can't say exactly what now as I've removed it and my notes are all at home), however iirc it was only using version 1 of the SSH protocols, which leaves the vulnerability in place. I removed the Debian SSH package & manually installed OpenSSH 3.0.2p1 which is invulnerable (so far!) to all known vulnerabilities as long as version 1 of the SSH protocol isn't used, even as a fallback. Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace & Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPEK8BWByUNb+aO+GEQJfogCghHz4ajXP81s4OwS2/HOMx8sbXgIAoJLo moxb226Bpj+mLJ7wp4PVsJbK =wRJH -END PGP SIGNATURE-
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 13:05:57 Craigsc wrote: > How do you disable ssh1 protocol with the current > ssh on potato ?>> I may be very wrong here as I've only been using Debian for 3 days now, but as far as I can see the current sshd on potato only supports ssh1 protocol. That's why I removed the package and self-compiled the latest sources from www.openssh.org to ensure I had only ssh2 protocol compiled in. I've had a box compromised through the ssh1 CRC32 vulnerability once, I'm not going to let it happen again! Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace & Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELbYWByUNb+aO+GEQL/FACeMwMQY9nvTPpORPRdKpd6X5ret8EAoIcI 966spRQfdUFlD2D8KHY8TAN/ =9qaj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote: >> Have I missed something and was I already OK, or is the current stable >> potato release shipping with a potential ssh security hole? > AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need > to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, > as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Is there any way to find out what flavour of Debian I have which is more detailed than this: iain@starfish:~$ cat /etc/debian_version 2.2 Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace & Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELMV2ByUNb+aO+GEQJQ9gCgi8S43E7EeimjmNgVxdVQ0lIcBcgAoNxK VUCUJvFQB8mjDD47v4eFyyly =6JW1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote: TS> Not if your SSH daemon is up to date :-) Is the SSHD in the latest potato fully up-to-date, though? I am a very recent convert to Debian, having been an avid Slackware fan for the last seven years. However one of my (very old) Slack boxen was compromised on Christmas Day via the sshd CRC32 vulnerability and I decided to replace it with Debian, a distro which has seriously impressed me. Not wanting the same problem to reoccur, after installation & configuration I checked my version of sshd. As far as I could ascertain the sshd which comes with the current potato release is OpenSSH 1.something (can't say exactly what now as I've removed it and my notes are all at home), however iirc it was only using version 1 of the SSH protocols, which leaves the vulnerability in place. I removed the Debian SSH package & manually installed OpenSSH 3.0.2p1 which is invulnerable (so far!) to all known vulnerabilities as long as version 1 of the SSH protocol isn't used, even as a fallback. Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace & Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPEK8BWByUNb+aO+GEQJfogCghHz4ajXP81s4OwS2/HOMx8sbXgIAoJLo moxb226Bpj+mLJ7wp4PVsJbK =wRJH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]