Subject: Re: Proposal: Disable SSHd Protocol v1 by Default (WAS: Re: ssh config path change (/etc -> /etc/ssh))
To: Brian A. Seklecki <lavalamp@spiritual-machines.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 03/14/2002 15:42:22
On Thu, Mar 14, 2002 at 02:38:03PM -0500, Brian A. Seklecki wrote:
>
> You seem to describe OpenSSH as a ticking time-bomb.

Well, in a way, it is.  The original SSH code is kind-of like sendmail:
it's been around for a long time and people have found lots of serious
security problems with it.  To some people, that means that all the nasty
bugs have probably been shaken out by now; to other people, it means that
there's even *more* reason to be worried about it.  At the moment, I'm
in the latter camp, because every time I start to think maybe we're okay,
someone finds another remote-root-compromise security hole in the code.

Note that it doesn't matter whether you use version 1 or version 2, you
will still be vulnerable to the kind of problem that was disclosed last
week.  Or the problem with UseLogin, or... you get the idea.

And, moreover, note that if rather than simply making protocol version 2
the default, you totally disable protocol version 1, this SSH implementation
becomes useless to many people for many real-world purposes, such as rsyncing
large amounts of data, because of the flow-control problems with v2 in this
particular implementation (which, mind you, is the only implementation we've
got).

> > There are good reasons to use the version 2 SSH protocol, but your
> > reasoning about what they are relies upon a false premise.  Try again.
> >
> 
> Everything credible I've read indicates that the most secure
> implementation involves exclusive use of protocol 2, DSA keys (empty
> passphrase or not), disabling superfluous features like 'PermitRootLogin',
> 'PermitEmptyPasswords', X/11 forwarding, and of course, ACL's, either via
> libwrap or ipf limiting which hosts can connect.

There's at least one mistake in your claims above.  I could leave it to you
to do the research and find it, but since I'm in a generous mood, I'll clue
you in.  Using DSA keys with the default length is both more computationally
expensive and *less* resistant to brute-force cryptographic attack than using
default-length RSA keys with the v2 protocol.  As I recall, it's on about the
same order as brute-forcing a block cipher with an 80-bit key: good enough,
for sure, but it's erroneous to claim that it's as hard as brute-forcing a
1024-bit RSA key.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud