[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages to remove from frozen

On Tue, Mar 07, 2000 at 01:21:23PM -0600, Manoj Srivastava wrote:
> >>"Michael" == Michael Stone <mstone@debian.org> writes:
>  Michael> I don't care whether it's documented. I do care if I get a
>  Michael> lot of questions from users who don't understand why they
>  Michael> get error messages sometimes when going to a host that has
>  Michael> always worked.
>         Well, you can tell them that the servers are buggy, and
>  perhaps get the ssh server fixed? 

Analyize your costs and benefits: changing the host key means that all
users have to delete the stored known_host and accept a new key. That's
potentially a big logistical problem (cost). The benefit is you get one
extra bit of security. Whoopie. I'm not aware of any widely employed
attack that succeeds on keys of 1023 bits and fails on keys of 1024
bits. Do you? This is an ego stroking "my key is bigger than yours"
message, not a serious security warning. At any rate, this is getting
away from my original point, that it's not fair to say openssh is a
completely compatible replacement for ssh-nonfree or to use that as a
justification for removing ssh-nonfree.

> Espescially since there is a
>  workaround to stop seeing the message.

What would that workaround be? I only see a workaround to change the
displayed message.

Mike Stone

Attachment: pgpSuFeZSv9sM.pgp
Description: PGP signature

Reply to: