Announcement

**bascule** · December 4, 2003, 13:03

Originally posted by kidlinux

When I want to get into my Linux computer from Windows machines at school I use a program called Putty. You all have probably heard of it. Anyway Putty has two MAJOR security issues. The first is that the default protocol for connecting to computers is telnet, which you all know is not secure! Second, if you choose SSH protocol, it defaults to SSHv1, which you all probably know is not secure too. I have not tried to snoop SSHv1 session yet but I hear there are tools out there that make it real easy. Doesn't this seem like a horrible security problem to anyone else?

Defaulting to telnet is an annoyance but is readily visible, so I wouldn't really consider it a "security hole". However, you are right about PuTTY defaulting to SSHv1. You can save over the "Default settings" entry and configure it to use SSHv2 (and not allow SSHv1 fallback) as well as change the block cipher from 3DES to AES or Blowfish.

**noid** · December 4, 2003, 13:05

You can also take this a step further by telling your server (the one running sshd) to not even speak SSH1 and to reject those that do.

**Chris** · December 4, 2003, 13:11

Originally posted by noid

You can also take this a step further by telling your server (the one running sshd) to not even speak SSH1 and to reject those that do.

Once again noid speaks the most wisely...
It is easy as hell to do.

Edit the sshd_config and uncomment the Protocols line. Then delete anything other than the number 2.

Then HUP the sshd and you're in bidnesses.

See attached screenshot.

This ends my uncharacteristic spoonfeeding session for today.

Attached Files

**kidlinux** · December 4, 2003, 13:20

Originally posted by noid

You can also take this a step further by telling your server (the one running sshd) to not even speak SSH1 and to reject those that do.

Wow thanks that is a great idea. I will edit my config to only allow SSH2 on my server, then I don't even have to fix Putty!

**skroo** · December 4, 2003, 14:39

Originally posted by kidlinux

Wow thanks that is a great idea. I will edit my config to only allow SSH2 on my server, then I don't even have to fix Putty!

The real annoyance with putty defaulting to telnet instead of SSH is if you happen to be trying to access a remote box running an IDS that's set to block any IP address connecting to a port not running a listening service (like telnet) - you automatically DoS the box you're coming from from being able to log in until the block is cleared. I've done this to myself at home more times than I want to think about.

**bascule** · December 5, 2003, 12:41

Originally posted by kidlinux

Wow thanks that is a great idea. I will edit my config to only allow SSH2 on my server, then I don't even have to fix Putty!

You should probably fix both, at least if you intend to ssh anywhere other than your home system.

Announcement

Putty security holes

Putty security holes

Comment

Comment

Comment

Comment

Comment

Comment