SSH-1 is defined as a single monolithic protocol, rather than the modular approach taken with the SSH-2 suite.

SSH-1 has more fixed parameters; in fact, only the bulk cipher is negotiated. The integrity algorithm, host key type, key-exchange methods, etc., are all fixed.

SSH-1 lacks the well-defined naming syntax for SSH-2 entities which allows for smooth, implementation-specific extensions.

SSH-1’s user authentication process allows only one method to succeed; the server can’t require multiple methods.

SSH-1’s RhostsRSA authentication, analogous to hostbased, is in principle limited to using a network address as the client host identifier. This limits its usefulness in the face of network issues such as NAT, proxying, mobile clients, etc.

SSH-1 remote forwarding specifies only a port, not a full socket, so can’t be bound to different addresses on multihomed servers, and the gatewayhosts option must be set globally for all remote forwardings rather than per port.

SSH-1 uses a weak integrity check, the CRC-32 algorithm. CRC-32 is not cryptographically strong, and its weakness is the basis of the Futoransky/Kargieman “insertion attack”; see http://seclists.org/lists/firewall-wizards/1998/Jun/0095.html. ...