I believe I was told that there are some theoretical weaknesses with protocol 1? And since ssh.com uses 2 by default shouldn't this be the same for openssh? Also, in another case of the default isn't really the default: # StrictHostKeyChecking no The default is actually yes if it's commented out (and I believe this one should be yes even though I always turn it off manually :-) ) so the conf file should be changed? -Rob On Tue, 7 Nov 2000, joel w. reed wrote:> ssh.1 says > > Protocol Specifies the protocol versions ssh should support in order of > preference. The possible values are ``1'' and ``2''. Multiple > versions must be comma-separated. The default is ``1,2''. This > means that ssh tries version 1 and falls back to version 2 if > version 1 is not available. > > but /etc/ssh/ssh_config shows the default for Protocol as... > > # Port 22 > # Protocol 2,1 > # Cipher blowfish > > one of the above should be fixed. > > jr > >
On Tue, 7 Nov 2000, joel w. reed wrote:> ssh.1 says > > Protocol Specifies the protocol versions ssh should support in order of > preference. The possible values are ``1'' and ``2''. Multiple > versions must be comma-separated. The default is ``1,2''. This > means that ssh tries version 1 and falls back to version 2 if > version 1 is not available. > > but /etc/ssh/ssh_config shows the default for Protocol as... > > # Port 22 > # Protocol 2,1 > # Cipher blowfish > > one of the above should be fixed.Both are correct. ssh uses Protocol 1 by default if nothing else is defined. What's written _commented out_ in ssh_config is of no consequence; default Cipher isn't blowfish either, etc.. If you uncomment the line there, it obviously changes the default ... -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall"
ssh.1 says Protocol Specifies the protocol versions ssh should support in order of preference. The possible values are ``1'' and ``2''. Multiple versions must be comma-separated. The default is ``1,2''. This means that ssh tries version 1 and falls back to version 2 if version 1 is not available. but /etc/ssh/ssh_config shows the default for Protocol as... # Port 22 # Protocol 2,1 # Cipher blowfish one of the above should be fixed. jr -- ------------------------------------------------------------------------ Joel W. Reed 412-257-3881 --------------All the simple programs have been written.---------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001107/89a53e8d/attachment.bin
On 2000-11-08, Rob Hagopian <rob at hagopian.net> wrote:> IMO consistency is important. Right now there is an inconsistent mix of > defaults and non-defaults in the config file with no clear direction on > them.I agree. Perhaps it's only because this is how I'm used to the SSH config files behaving, but I think it's valuable for the default config files to represent only the defaults, because then the defaults for a particular version are self-documenting. I'm used to saying "OK, let me go through /etc/sshd?_config and change all the defaults I don't agree with." Which means, a commented-out value that I *agree* with I shouldn't have to touch. A mix where some reflect "the default should be changed to this" and others represent "this is the default" violates the principle of least surprise, IMHO, and makes it a given that you either a)explicitly set every single option, b)look up every single option in the manpage and/or source, c)learn the "real" defaults by heart and be *sure* to update your brain with any/all changes that happen between versions[*]. a)is probably the correct answer, and is what i tend to do anyway, but it's sorta silly... [*] This is still something of a problem when upgrading from 2.x.y to 2.m.n, 'cuz the previous config file won't be overwritten by the install (and shouldn't be), but then one can always look at the default config file that came with 2.m.n and look for surprises. -- Hank Leininger <hlein at progressive-comp.com>