upgrade ssh1 to ssh2 neccesary?
Falko Zurell
Version: PGP Personal Privacy 6.5.3
Comment: !!! PLEASE DON'T SAVE decrypted messages !!!
<encoded_portion_removed>
oQFAmPkAgk7/FfxAdCZshPaF4TbAejLnEVkEdWG7DOIsdE8JlGJzIA==
=dqmE
-----END PGP MESSAGE-----
Falko Zurell
Hash: SHA1
sorry, little misconfiguration of my PGP.... ;-(
here's the question:
Is there a really major security reason why to upgrade from ssh1 to
ssh2?
SSH1 is for free, ssh2 not. Neither the server nor the clients,
didn't they?
Any suggestions
thanks in advance
Falko Zurell
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
Comment: !!! PLEASE DON'T SAVE decrypted messages !!!
iQA/AwUBOLhKSdS6mbOPX/bHEQJfOQCfYzRf6IUsd1eRdVNWEhfw4glswTgAoKYX
alnZd7WjQcdnFN6+OzzjQFJs
=qJw4
-----END PGP SIGNATURE-----
Theo de Raadt
> Is there a really major security reason why to upgrade from ssh1 to
> ssh2?
ssh1 has a protocol flaw that allows an attacker to do a crc insertion
attack. this attack is apparently not possible if you use 3des, but
is possible if you use other ciphers (which basically means blowfish).
modern ssh1 and openssh solve the problem by breaking the connection
when an insertion attack is noticed.
i've never heard of this attack being done on a person, and i don't
know if the attack code has even been released.
markus friedl is looking into further solutions to solve this problem,
without having to go all the way to ssh2.
certainly an implimentation of ssh which both ssh1 and ssh2 protocols
would rock, but we're there yet.
for the moment, i would not worry about the problem. ssh1 protocol
is FAR MORE popular.
> SSH1 is for free, ssh2 not. Neither the server nor the clients,
> didn't they?
ssh1 is partially free, ssh2 is less partially free.
openssh is free ;-)
--
This space not left unintentionally unblank. der...@openbsd.org
Open Source means some restrictions apply, limits are placed, often quite
severe. Free Software has _no_ serious restrictions. OpenBSD is Free Software.
Juri Munkki
>certainly an implimentation of ssh which both ssh1 and ssh2 protocols
>would rock, but we're there yet.
>
>for the moment, i would not worry about the problem. ssh1 protocol
>is FAR MORE popular.
SSH2 has the advantange of allowing tunnel (TCP forward) creation at just
about any time. SSH1 is limited in that it always requires a session
channel if you want to do tunneling. A lot of people actually want to
use SSH as a VPN-like solution only, so the terminal connection they
get with SSH1 is totally superfluous (and confusing).
An implementation that contained both SSH1 and SSH2 protocols would probably
have to impose some restrictions when SSH1 was being used (otherwise things
would get very tricky).
>> SSH1 is for free, ssh2 not. Neither the server nor the clients,
>> didn't they?
>
>ssh1 is partially free, ssh2 is less partially free.
Looking at just the protocol, SSH2 is more open than SSH1. Anyone can
get the specification and implement the protocol without paying a penny
for patent rights. The implementations are another matter, of course.
--
Juri Munkki jmu...@iki.fi What you see isn't all you get.
http://www.iki.fi/jmunkki Windsurfing: Faster than the wind.
Theo de Raadt
> >> SSH1 is for free, ssh2 not. Neither the server nor the clients,
> >> didn't they?
> >
> >ssh1 is partially free, ssh2 is less partially free.
>
> Looking at just the protocol, SSH2 is more open than SSH1. Anyone can
> get the specification and implement the protocol without paying a penny
> for patent rights. The implementations are another matter, of course.
well, that doesn't matter much. we're talking about a world which has,
what, 15 ssh1 implimentations, and 4 ssh2 implimentations?
the ssh1 protocol is just as free, and you don't need to start with
lousy specifications, since free code exists.
Niels Möller
> In article <chfevp...@zeus.theos.com> Theo de Raadt <der...@zeus.theos.com> writes:
> >certainly an implimentation of ssh which both ssh1 and ssh2 protocols
> >would rock, but we're there yet.
> >
> >for the moment, i would not worry about the problem. ssh1 protocol
> >is FAR MORE popular.
>
> SSH2 has the advantange of allowing tunnel (TCP forward) creation at just
> about any time. SSH1 is limited in that it always requires a session
> channel if you want to do tunneling. A lot of people actually want to
> use SSH as a VPN-like solution only, so the terminal connection they
> get with SSH1 is totally superfluous (and confusing).
Does there exist any ssh2-implementations that takes advangtage of
that? LSH does have the -N (no-operation) option that allows you to
request forwardings without creating any session. But that's fairly
trivial. Creation of new forwardings on an existing connection would
be more interesting.
/Niels
Jonathan Clemens
Juri Munkki <jmu...@alpha.hut.fi> wrote:
>SSH2 has the advantange of allowing tunnel (TCP forward) creation at just
>about any time. SSH1 is limited in that it always requires a session
>channel if you want to do tunneling. A lot of people actually want to
>use SSH as a VPN-like solution only, so the terminal connection they
>get with SSH1 is totally superfluous (and confusing).
Totally superfluous? Will ssh2 do UDP forwarding?
As I understand it, setting up a VPN using private IP addresses, like
is discussed in the O'Reilly VPN book, will result in all traffic to
the destination host's VPN interface going through the ssh tunnel--
ICMP, TCP, UDP, and so forth.
How can I get SSH2 to do the same thing? Or can I?
I want to set up a small number of Linux machines on a *mostly* trusted
network, to be able to do encrypted NFS, and possibly NIS. Can I do
this with ssh2? ssh1? Not at all?
Jonathan Clemens
--
Julian King
> ssh1 has a protocol flaw that allows an attacker to do a crc insertion
> attack. this attack is apparently not possible if you use 3des, but
> is possible if you use other ciphers (which basically means blowfish).
problem with ssh1 in this newsgroup which wasn't subsequently blown
out of the water by someone else.
> modern ssh1 and openssh solve the problem by breaking the connection
> when an insertion attack is noticed.
Oh - so it isn't vulnerable then? Well except to denial of service
which is always going to be the case.
[snip]
> > SSH1 is for free, ssh2 not. Neither the server nor the clients,
> > didn't they?
>
> ssh1 is partially free, ssh2 is less partially free.
>
> openssh is free ;-)
Don't forget lsh, the gnu-licence version of ssh2
Julian
--
Julian King | There once was a limerick .sig | My opinions, all
Computer Officer | that really was not very big | mine. You can't
University of Cambridge | It was going quite fine | have them!
Unix Support | Till it reached the fourth line | P.S. It's a joke
Julian King
> SSH2 has the advantange of allowing tunnel (TCP forward) creation at just
> about any time. SSH1 is limited in that it always requires a session
> channel if you want to do tunneling. A lot of people actually want to
> use SSH as a VPN-like solution only, so the terminal connection they
> get with SSH1 is totally superfluous (and confusing).
that with ssh1 as well... Unless I am losing my mind, that means
it cannot be a protocol issue, just a client issue.
Markus Friedl
> Theo de Raadt wrote:
> > ssh1 has a protocol flaw that allows an attacker to do a crc insertion
> > attack. this attack is apparently not possible if you use 3des, but
> > is possible if you use other ciphers (which basically means blowfish).
> It does? Do you have a reference? I've not seen any mention of a
> problem with ssh1 in this newsgroup which wasn't subsequently blown
> out of the water by someone else.
http://www.core-sdi.com/soft/ssh_vuln.zip
http://www.core-sdi.com/advisories/ssh-advisory.htm
it seems that this attack is only possible against
openssh w/ blowfish, but not if you are using 3des.
-markus
Markus Friedl
> Juri Munkki wrote:
> > SSH2 has the advantange of allowing tunnel (TCP forward) creation at just
> > about any time. SSH1 is limited in that it always requires a session
> > channel if you want to do tunneling. A lot of people actually want to
> > use SSH as a VPN-like solution only, so the terminal connection they
> > get with SSH1 is totally superfluous (and confusing).
>
> Umm, mindterm the java implementation of ssh1 appears to allow
> that with ssh1 as well... Unless I am losing my mind, that means
> it cannot be a protocol issue, just a client issue.
yes and no:
-R style forwarding only works before the shell is exec'ed
-L style forwarding should work during sessions, too.
perhaps i'll integrate something like a ~L escape into the openssh-client.
but -- and this is a protocol issue -- you still have to exec a shell
or a command. OpenSSH2 will not have this problem.
-markus
Julian King
> In <38BA6643...@cam.ac.uk> Julian King <jp...@cam.ac.uk> writes:
> > Theo de Raadt wrote:
> > > ssh1 has a protocol flaw that allows an attacker to do a crc insertion
> > > attack. this attack is apparently not possible if you use 3des, but
> > > is possible if you use other ciphers (which basically means blowfish).
> > It does? Do you have a reference? I've not seen any mention of a
> > problem with ssh1 in this newsgroup which wasn't subsequently blown
> > out of the water by someone else.
>
> http://www.core-sdi.com/soft/ssh_vuln.zip
> http://www.core-sdi.com/advisories/ssh-advisory.htm
I had a look at the advisory, it implied that as of 1.2.25 it wasn't
vulnerable.... Ok, I had a look at README.DEATTACK. Hmm..
I think the correct word here is bugger.
> it seems that this attack is only possible against
> openssh w/ blowfish, but not if you are using 3des.
As far as ssh is concerned I can't see why this might
happen. I've not delved into openssh, although I am
running it on my desktop to evaluate it.
> -markus
Thanks for the info.
Markus Friedl
> > http://www.core-sdi.com/soft/ssh_vuln.zip
> > http://www.core-sdi.com/advisories/ssh-advisory.htm
>
>I had a look at the advisory, it implied that as of 1.2.25 it wasn't
>vulnerable.... Ok, I had a look at README.DEATTACK. Hmm..
the patch in 1.2.25 does not fix the problem,
it only makes the attack more difficult.