[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages to remove from frozen

On Wed, Mar 08, 2000 at 08:56:34AM -0600, Nathan E Norman wrote:
> Eh, well, it is correct[1] behavior to toss out an error message in this
> case since it's notifying you of a *security* problem.  In fact, it's
> telling you that the server key is half as secure as the server claims
> it is.

But you *don't* get informed about what the server claims the key is
unless you request verbosity. This isn't about displaying wrong info
versus displaying right info. This is about displaying extra information
for no reason. If the notice that the server was offering an invalid key
length came in verbose mode, that would be great; if you got a warning
when you first accept the key, that would be useful. What does seeing the
message at every login buy you?

> If you and your users don't care about security then I'm sure the
> error is a real pain in the ass.  Of course, if security isn't an
> issue then you really don't need to use ssh at all.

Are you really convinced that the security of a 1023 bit key is so much
worse than the security of a 1024 bit key that any amount of effort
necessary to transition to a new 1024 bit key is justified? In the
overall scheme of things, that one bit is *not* a high-priority security
problem. Changing keys around and getting users into the habit of
replacing host keys is a *bigger* security problem than that stupid bit.

Mike Stone

Attachment: pgpKi0E4j_ulH.pgp
Description: PGP signature

Reply to: