On Wed, May 24, 2000 at 12:26:58PM -0400, Andrew Pimlott wrote: > On Tue, May 23, 2000 at 11:38:29AM -0400, Clint Adams wrote: > > Why is PARANOID entirely irrelevant for ssh? > > Having checked the documentation, I concede that "entirely" is not > accurate. One can force sshd to allow "vanilla" rhosts > authentication (the RhostsAuthentication configuration parameter), > which my be (more easily) spoofed without PARANOID. However, this > is disabled by default, and any sane person wanting this > functionality would instead use RhostsRSAAuthentication, which is > not spoofable with DNS tricks. RhostsRSAAuthentication is what I > had in mind when when I said PARANOID is irrelevant. You may want to make it more difficult for someone to get *any* info about your ssh. If you enable access from only certain hosts via wrappers, you won't be advertising your ssh version and protocol number, and would be making it harder to launch an attack on the daemon. But host-based acl's in hosts.allow fall apart if you don't enable PARANOID and leave yourself open to trivial dns tricks. -- Mike Stone
Attachment:
pgpRKA9nw8uRv.pgp
Description: PGP signature