[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages to remove from frozen

On Thu 09 Mar 2000, Jacob Kuntz wrote:

> isn't the problem here that the server is misrepresenting itself? a one bit
> difference may not make a less secure key, but it could quite possibly be an
> indication of some deception. i worry that altering the client to ignore
> this type of error will only open us up to attack, be it man-in-the-middle
> or otherwise.

Warning: my crypto knowledge is pretty poor.

Someone somewhere in this thread said that the problem was that the old
ssh could generate a key that had the MSbit off, and that was the cause
of these messages.  I'm now thinking: if the MSbit *MUST* be set, how
does that increase the security? N bits of key is no less secure than
N+1 bits where you know the value of one bit.  Isn't openssh simply
confused in this case?

I myself notice that openssh complains about half the time when
connecting to a random number of different hosts (I connect daily to a
random 5-10 systems out of a collection 700 hosts (each running ssh
1.2.17), which IMHO means the sample is quite random, but then
statistics lessons was a long time ago).

Paul Slootman
home:       paul@wurtel.demon.nl http://www.wurtel.demon.nl/
work:       paul@murphy.nl       http://www.murphy.nl/
debian:     paul@debian.org      http://www.debian.org/
isdn4linux: paul@isdn4linux.de   http://www.isdn4linux.de/

Reply to: