Rhosts-RSA authentication broken

Pekka Savola pekkas at netcore.fi
Tue Mar 20 20:19:08 EST 2001

On Tue, 20 Mar 2001, Markus Friedl wrote:
> !       if (auth_rhosts(pw, client_user))
> !               return 1;
> this is very very very wrong!
> it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off
> checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as
> auth-rhosts.

.. even more so because you don't have to use privileged ports for
auth-rhost-rsa anymore, but for auth-rhost you do.

Pekka Savola                  "Tell me of difficulties surmounted,
Netcore Oy                    not those you stumble over and fall"
Systems. Networks. Security.   -- Robert Jordan: A Crown of Swords

More information about the openssh-unix-dev mailing list