ideas 2

Ed df at bsd.it
Wed Jul 28 11:52:30 PDT 2004 

On Wednesday 28 July 2004 20:13, Matthew Dillon wrote:
> :2) By default ssh and sshd can automatically switch to the obsolete SSH
> :protocol v1 if one of the two doesn't support v2. I'm asking to remove
> : this automatic process, letting the user manually choose obsolete v1
> : using "ssh -1" command.
> :
>     I'm kinda on the fence on changing this.  I've actually done this on
>     personal machines before but it always creates problems with programs
>     like 'scp' which do not have a '-1' option.

scp -oProtocol=1 src user at server:/path/dest



>     It is better not to mess with the older protocols.  A v1 ssh client
>     might not be able to handle a 1024 bit key.  In particular, before
>     the patent ran out there were a lot of clients that could not legally
>     handle 1024 bit keys.  For people who still need to accept v1
>     connections, this could throw a wrench in the works.

This is the server key. It's not the same that you generate the first boot.



> : incrementing the default keysize to 2048.
>
>     Again, I'm worried about compatibility.


I would like to underline that OpenSSH has some big security holes few time 
ago, so everyone is supposed to run at least 3.4 or 3.5 after the GOBBLES 
exploit...

This means that 2048 bits should not be a problem of compatibility, but a 
problem of worse performance.



>     A lot of people did this sort of thing with sendmail when sendmail
>     was going through a number of security issues a few years ago, but
>     it didn't stop the attacks.   Also, there are other ways to detect
>     the ssh version number.  I would rather not change this.

Changing it doesn't make things worse, so I would do it ;-)
By the way, at the moment you're revealing OpenSSH version and OS 
type/version.


> :8) Please make /tmp cleaning at boot time a default setting. It's a good
> : thing for privacy and security.
>
>     Well cleaning out /tmp at boot is a bad idea in general because while
>     the files are meant to be temporary, the last thing you ever want is
> for a system reboot to blow them away.  One could institute removal based
> on a file age, and many do, but I'm not sure we should do it by default.

OpenBSD does it by default.
With FreeBSD I need to put clear_tmp_enable="YES".


	Ed


P.S. I'm subscribed to the mailing list, so please don't put me in CC: too

More information about the Kernel mailing list