openssh-3.0p1, auth2.c
Markus Friedl
markus at openbsd.org
Sun Nov 11 22:55:53 EST 2001
On Sat, Nov 10, 2001 at 03:08:38PM -0500, Carson Gaspar wrote:
>
>
> --On Saturday, November 10, 2001 1:39 PM +0100 Markus Friedl
> <markus at openbsd.org> wrote:
>
> > On Fri, Nov 09, 2001 at 10:23:40AM +0100, Hans Werner Strube wrote:
> >> openssh-3.0p1 still contains the bug
> >
> > is it a bug? we need to use voting to bugzilla.
>
> It's a bug. Where the bug is is debatable.
so i'll remove HostbasedUsesNameFromPacketOnly.
> > 2) if HostbasedUsesNameFromPacketOnly is used, then
> > the client can send any opaque 'string' it likes to use, e.g.
> > "markus at openssh.com."
> > or even
> > "...."
> > so sshd should not modify this string.
>
> In that case, the bug is in ssh. Ssh should not send hostnames that are
> period terminated.
it should. otherwise interoperating with ssh.com is not possible.
> > why are you using HostbasedUsesNameFromPacketOnly ?
>
> It works in spite of PAT, or any other address mangling (non-transparent
> application proxy firewalls, for example). This is a key feature for many
> environments.
i think hostbased authentication never has been intended for this.
especially since rhosts-rsa requires a privileged source port.
> Now if only there were a similar feature for identifying the server...
hostkeyalias.
-m
More information about the openssh-unix-dev
mailing list