Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 88329 - RFE openssh daemon enables protocol 1 by default
Summary: RFE openssh daemon enables protocol 1 by default
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-08 22:42 UTC by Kevin J. Miller
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Fixed In Version: openssh-3.9p1-10
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-02-08 15:38:32 UTC


Attachments (Terms of Use)

Description Kevin J. Miller 2003-04-08 22:42:53 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
The file /etc/ssh/sshd_config has both protocols 1 and 2 of ssh enabled by
default.  Protocol 1 has known security problems, and should be disabled by default.

Version-Release number of selected component (if applicable):
openssh-server-3.5p1-6

How reproducible:
Always

Steps to Reproduce:
1.  I can log in with a protocol 1 client.
    

Additional info:

Comment 1 Nathan G. Grennan 2003-04-10 03:48:39 UTC
I agree, I have been having to disable it manually on all the machines I
administrate. I have even found putty using ssh1 by default. So this just isn't
a case of when people use ssh1 on purpose.

Comment 2 Mark J. Cox 2003-06-02 11:48:46 UTC
Whilst protocol version 1 has some 'known security issues' in general these did
not affect OpenSSH.  For example looking at
http://www.f-secure.com/support/technical/ssh/ssh1_vulnerabilities.shtml each of
these issues does not affect OpenSSH, and http://www.openssh.com/goals.html
gives you some more details.


Comment 3 Tomas Mraz 2005-02-04 14:14:56 UTC
We should consider this again as most clients now support ssh v2.


Note You need to log in before you can comment on or make changes to this bug.