Annette, openssh is capable to use both versions, SSH2 and SSH1. If the client is only capable of SSH1, openssh provides it - if allowed! You can even force the openssh client to use SSH1 by setting Protocol 1 or Protocol 1,2 in the client configuration file. AFAIK the SSH1 implementation of openssh 2.9p1-17 is secure - but ask yourself: Do you really need SSH1? Cheers, Ralf
Ralf Koch wrote:
Hi,
the main question is, if your SSH daemon is vulnerable.
The option "Protocol 2,1" sets only the preferred version to SSH2.
You're
allowed to connect with SSH1 too.
Cheers,
Ralf
Hi, we updated to rpm package openssh-2.9p1-17 on all our Linux boxes some days ago and I think: This is a SSH2 Daemon. Isnt it? Is it vulnerable? Its possible that the last incident just came trough the SSH1 vulnerability.
Another question: Is duarawkz only a Linux hackertool? Maybe some enthused hackers ported it to other platforms? I have still some SSH1 unix platforms here.
Bye, Annette
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* * Ralf 'coko' Koch * mailto:info@formel4.de * --- Computers are like air conditioners: They stop working properly if you open windows.