On Wed, Mar 08, 2000 at 08:56:34AM -0600, Nathan E Norman wrote: > Eh, well, it is correct[1] behavior to toss out an error message in this > case since it's notifying you of a *security* problem. In fact, it's > telling you that the server key is half as secure as the server claims > it is. But you *don't* get informed about what the server claims the key is unless you request verbosity. This isn't about displaying wrong info versus displaying right info. This is about displaying extra information for no reason. If the notice that the server was offering an invalid key length came in verbose mode, that would be great; if you got a warning when you first accept the key, that would be useful. What does seeing the message at every login buy you? > If you and your users don't care about security then I'm sure the > error is a real pain in the ass. Of course, if security isn't an > issue then you really don't need to use ssh at all. Are you really convinced that the security of a 1023 bit key is so much worse than the security of a 1024 bit key that any amount of effort necessary to transition to a new 1024 bit key is justified? In the overall scheme of things, that one bit is *not* a high-priority security problem. Changing keys around and getting users into the habit of replacing host keys is a *bigger* security problem than that stupid bit. -- Mike Stone
Attachment:
pgpKi0E4j_ulH.pgp
Description: PGP signature