auto458545@hushmail.com wrote: > > It is servers which advertise this compatibility mode of 1.99 which are > vulnerable to the attack. Servers in compatability mode have both > protocols 1 and 2 enabled. Just pointing out a small mistake here: running servers in compatibility mode is NOT what causes the problem, and the reverse is also true: running a server in forced v1 or v2 mode doesn't help. If you want a "workaround", it'd be forcing all your SSH clients to use a specific SSH version, but that's seldom a viable alternative. Then again, the best solution is probably educating all your users to always verify host fingerprints (hahahaha) or forcing public key auth instead of password auth (usually more viable) in your servers. People are more likely to notice "public key auth failed" rather than the old "new host key" message. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "It's July. I'm on vacation. Can't you tell? :)"
