Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jan Conrad (conradth.physik.uni-bonn.de)
Date: Thu Feb 15 2001 - 05:30:20 CST
for quite a long time now I cannot understand why people encourage others
for using ssh2 by default and I wanted to ask the readers of this list for
Even though I believe people saying that ssh2 is much more secure for root
accounts and servers etc. I don't see why this should be true in general.
Especially on bigger, say university networks as ours, where you often
find BNC segments or the switches are more or less acessible to everyone
(who really wants to...) in my opinion ssh2 is much more insecure as ssh1.
My problem simply is that the id_dsa file is stored in user home dirs,
which typically are mounted via NFS. So ssh2, in contrast to ssh1 with
RSAAuthentication disabled, allows sniffers to access your system even
without *actively* attacking your system, all you need is the id_dsa
Even if that file is protected by a passphrase, you don't gain much...
In conclusion, I would like to have the ssh protocol defaulted to 1 with
RSAAuthentication disabled; of course, people who install servers and
security specific stuff should know not to use that for their uses, but
most other people simply install the default.
-- Physikalisches Institut der Universitaet Bonn Nussallee 12 D-53115 Bonn GERMANY
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message