Rhosts-RSA authentication broken
Pekka Savola
pekkas at netcore.fi
Tue Mar 20 20:19:08 EST 2001
On Tue, 20 Mar 2001, Markus Friedl wrote:
> ! if (auth_rhosts(pw, client_user))
> ! return 1;
>
> this is very very very wrong!
>
> it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off
> checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as
> auth-rhosts.
.. even more so because you don't have to use privileged ports for
auth-rhost-rsa anymore, but for auth-rhost you do.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the openssh-unix-dev
mailing list