It is disabled by default in the client, in the sense that you need to actually run ssh -1. If you didn't I'd be on the side of the pitchforks saying why are we subjecting all these clients to downgrade attack risk. --Dan On Wed, Apr 1, 2015 at 6:40 AM, Michael Felt <aixtools@xxxxxxxxx> wrote: > Ok - thanks. stunnel is something 'useful' to study. Hopefully I will not > have to hit my head against the wall too often. > > That said - is there (an official) way to disable ssh1 in the server > (e.g., --without-ssh1 Disable support for SSH protocol 1) but > keep support in the client? > > That is how I would like to package it as of today. > > And I expect, (read hope) that even though support is compiled in, I could > still disable it - by default - in the client via ssh_config. > > Michael > > p.s. Hubert - my apologies for the double send, forgot reply-to-all. > > On Wed, Apr 1, 2015 at 3:05 PM, Hubert Kario <hkario@xxxxxxxxxx> wrote: > > > On Wednesday 01 April 2015 14:37:59 Michael Felt wrote: > > > re: use of a stunnel - how does this turn 40-bit https into >40-bit > > https. > > > Sounds like a man-in-the-middle I do not want to know about (but should > > > learn about just the same - aka the sand is not so deep I can bury my > > head > > > completely :) > > > > Yes, it is literally a "man in the middle", the point is, that this man > is > > *you*, and as such, you can trust him, at least as much as you can trust > > the > > server itself > > > > It's the same way a reverse proxy turns a local HTTP server running on > port > > 8080 (or any other for that matter) into a proper HTTPS server. > > > > > > Or in other words, it's to turn something like this: > > > > > > > > | trusted network here > > client .-,( ),-. > > __ _ .-( )-. router server > > [__]|=| ---->( internet )-------> __________ ------> ____ __ > > /::/|_| SSLv2 '-( ).-' SSLv2 [...__...°] SSLv2 | | |==| > > '-.( ).-' |____| | | > > /::::/ |__| > > > > > > > > into something like this: > > > > | trusted network here > > client .-,( ),-. > > __ _ .-( )-. router server > > [__]|=| ---->( internet )-------> __________ ------> ____ __ > > /::/|_| TLS1.2 '-( ).-' TLS1.2 [...__...°] SSLv2 | | |==| > > '-.( ).-' ↑ |____| | | > > stunnel /::::/ |__| > > > > > > > > (diagram taken from http://unix.stackexchange.com/a/126638) > > -- > > Regards, > > Hubert Kario > > Quality Engineer, QE BaseOS Security team > > Web: www.cz.redhat.com > > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev