Battle of the SSH Protocols: SSHv1 v SSHv2

Telnet has been eclipsed by two feature-laden Secure Shell protocols. But which one is best?

InformationWeek Staff, Contributor

November 19, 2007

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Some of the protections that SSHv2 offers over SSHv1 and Telnet are:

  • Eavesdropping: SSHv2 protects against eavesdropping by encrypting all data, making it unreadable to potential eavesdroppers.

  • Domain Name System (DNS) and IP spoofing: SSHv2 wards off such attacks by cryptographically verifying the identity of the server. For every session, the SSH client validates the server's host key against a local list of available keys that are associated with server names and addresses. If the keys do not match, an immediate warning is issued.

  • Session hijacking: SSHv2 is unable to prevent hijackings because of an inherent flaw in the TCP layer. SSHv2 can, however, render the hijacking ineffective through its integrity-checking process. If a session is modified during transmission, SSHv2 will shut down the connection immediately without using the bogus data. SSHv2 uses the cryptographically strong hash functions MD5 and SHA-1 for integrity checking. This can also prevent replay or insertion attacks.

  • Protection against man-in-the-middle, or replay attacks: The man-in-the-middle attack is one of the biggest threats on an Ethernet network today.

There are two ways SSHv2 can protect against man-in-the-middle attacks:

  1. Server-host authentication: Because the attacker does not have the server's private host key, the attacker would have to break into the server host to pull off the impersonation. For this protection to be totally effective, the client must check the server-supplied public host key against its list of known hosts.

  2. Stronger authentication for the client: Passwords are vulnerable, but public keys and certificates are essentially immune to these types of attacks.

In this contest the choice is clear: SSHv2 and SFTP are certainly a best practice for managing switches. Just make sure that you turn off Telnet and TFTP on your switches and do not configure SSHv2 to fail back to SSHv1.

Jimmy Ray Purser is a networking and networking security expert at Cisco Systems.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights