AllowHosts / DenyHosts
Dan Kaminsky
dankamin at cisco.com
Fri Mar 2 03:04:28 EST 2001
> you miss the point. the example is not about ipsec.
Markus, you miss the point: IPsec is *misery incarnate* to configure and
the keynote syntax certainly doesn't help that.
> > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT
KEY"
> > ApplicationDomain "IPsec policy"
> > EspAuthenticationAlgorithm hmac-sha
> > EspRequired yes
>
> this only works because the above example uses &&
Fine.
Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
ApplicationDomain "IPsec policy"
EspAuthenticationAlgorithm hmac-sha hmac-md5 ripemd-whatever
EspRequired yes
> > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT
KEY"
> > Host 129.210.*.*
>
> this won't work with current ssh config.
You're talking about linking a new library in that'll inherit root
permissions by dint of being linked into SSHD--I think we're safely out of
the realm of "what servconf.c can do right now."
My point is that 90% of what we'd want from Keynote we can do without
resorting to an outside library, and as nice as that extra 10% might be, if
it prevents 80% of people
from using 80% of the power of SSH, we've weakened the code considerably.
> if you want to have complex policies that you will depend on keynote.
>
> if you don't need complex policies, then you don't need keynote.
So tell me some complex policies that would be useful, that require keynote.
More information about the openssh-unix-dev
mailing list