Re: Packages to remove from frozen
On Thu 09 Mar 2000, Jacob Kuntz wrote:
> isn't the problem here that the server is misrepresenting itself? a one bit
> difference may not make a less secure key, but it could quite possibly be an
> indication of some deception. i worry that altering the client to ignore
> this type of error will only open us up to attack, be it man-in-the-middle
> or otherwise.
Warning: my crypto knowledge is pretty poor.
Someone somewhere in this thread said that the problem was that the old
ssh could generate a key that had the MSbit off, and that was the cause
of these messages. I'm now thinking: if the MSbit *MUST* be set, how
does that increase the security? N bits of key is no less secure than
N+1 bits where you know the value of one bit. Isn't openssh simply
confused in this case?
I myself notice that openssh complains about half the time when
connecting to a random number of different hosts (I connect daily to a
random 5-10 systems out of a collection 700 hosts (each running ssh
1.2.17), which IMHO means the sample is quite random, but then
statistics lessons was a long time ago).
home: firstname.lastname@example.org http://www.wurtel.demon.nl/
work: email@example.com http://www.murphy.nl/
debian: firstname.lastname@example.org http://www.debian.org/
isdn4linux: email@example.com http://www.isdn4linux.de/