Re: [cobalt-users] FIX - can't su to root, email stopped working,gui stopped working, postgres database is down, virtual sites disappeared

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Jay Summers" <jay@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Correct me if I'm wrong, but I don't think the SSH1 protocol is anymore
> unsafe than SSH2 as long as it's the latest stable/secure release. I don't
> really have any links to back up my claim but I believe that I read this
> somewhere before. Maybe even this list...

Don't believe everything you read.  <g>  That includes everything I say,
though in this case my statements weren't unfounded.  Based on what I
believe to be true, older versions of SSH are vulnerable and newer versions
of SSH with Protocol 1 enabled are vulnerable.  In any case, even if the
consensus was that newer versions of SSH were not vulnerable to an attack
using Protocol 1, I would disable it because I realize that we're all really
talking about *known* vulnerabilities.  And IMO, it's more likely a new
vulnerability will be discovered in Protocol 1 than n Protocol 2 so I'll
take my chances and run Protocol 2 exclusively and recommend that my clients
use SSH client programs that support Protocol 2.  You might want to check
out the following article or google for something like "ssh protocol 1
vulnerability" (without the quotes).

http://www.stanford.edu/group/itss-ccs/security/news/ssh.html

HTH,

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/