SSH v1 has well known and documented security vulnerabilities that can be used to exploit the SSH server. A safe measure is to either disable v1 on the merge and let the user know it has been done or inform the user that v1 is on and what needs to be done to disable it.
What do you think, m0rpheus?
Just some points to consider: - ssh1 is enabled by default in the portable openssh package (hense why its on by default for us) - ssh1 is enabled by default in debian - ssh1 is enabled by default in freebsd The default is for protocol 2 to take precedence and fall back to protocol 1. It will only use ssh1 if it can't use ssh2 for some reason.
I'm not sure if it differs from stable to testing but on an SSH install in Debian (apt-get) a few weeks ago it actually asked me if I wanted to turn off SSH v1 because of how vulnerable it is. That's actually what got me thinking about wanting to see it in packages on most distros. Granted it's not a wide open and easy hole that can be compromised by anyone but it can and does happen. It's a small point but, "better to be safe now then sorry later."
Ive looked thru many distros and they all have ssh1 on by default. SO i dodnt realy see the harm of keeping it on by default.
