Hi,
On Sat, 29 Apr 2000, Markus Friedl wrote:
> > (How is this authentication better then SSH1 ?)
>
> one 'advantage' of SSH2 is that it is not restricted to RSA, thus
> there are no problems with the RSA patent.
Just an addition to this explanation. It is not only the flexibility of
multiple algorithms that is an advantage of the host-authentication of
SSH2. A major advantage is that of flexibility in
key/certificate/signature-formats.
With SSH1 you must either distribute a known_hosts file (with ALL hosts
that one wants to connect to) OR accept the fact that the first connection
to the server is not protected against a man-in-the-middle attack.
With SSH2 you can use the SSH1 way of doing things BUT, you can also use a
PKI (e.g. one built with an openPGP implementation) to have the
authentication be done with certificates (much as SSL/TLS typically does,
but SSH2 is probably more flexible) meaning that you could for example
distribute a single "root-certificate" with which all hosts' public keys
have been signed (i.e. with the "root-certificate"'s private key) giving
them valid certificates to authenticate with (without the risk for the
man-in-the-middle). This means you still have to distribute a
"root-certificate" by other means BUT you can change/add servers in your
configuration without having to redistribute new known_hosts files.
NOTE: I have not checked if this is actually practically possible with the
current server-implementation but it is certainly suggested (recomended)
by the draft of the transport-layer.
Finally, note that SSH2 have a "client-anonymous" transport-level of the
protocol which is NOT concerned with the user/client authentication (e.g.
through password or "public keys"), hence it is up to the upper layers of
the protocol to take care of (if needed) user/client authentication once
the connection to the server is establised.
Cheers,
/Mats
