Red Hat Bugzilla – Bug 88329
RFE openssh daemon enables protocol 1 by default
Last modified: 2007-11-30 17:10:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225
Description of problem:
The file /etc/ssh/sshd_config has both protocols 1 and 2 of ssh enabled by
default. Protocol 1 has known security problems, and should be disabled by default.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. I can log in with a protocol 1 client.
I agree, I have been having to disable it manually on all the machines I
administrate. I have even found putty using ssh1 by default. So this just isn't
a case of when people use ssh1 on purpose.
Whilst protocol version 1 has some 'known security issues' in general these did
not affect OpenSSH. For example looking at
http://www.f-secure.com/support/technical/ssh/ssh1_vulnerabilities.shtml each of
these issues does not affect OpenSSH, and http://www.openssh.com/goals.html
gives you some more details.
We should consider this again as most clients now support ssh v2.