openssh-3.0p1, auth2.c
Carson Gaspar
carson at taltos.org
Mon Nov 12 14:20:34 EST 2001
--On Sunday, November 11, 2001 12:55 PM +0100 Markus Friedl
<markus at openbsd.org> wrote:
> so i'll remove HostbasedUsesNameFromPacketOnly.
Please don't - I'll just have to add it back in manually, and that would
suck.
>> In that case, the bug is in ssh. Ssh should not send hostnames that are
>> period terminated.
>
> it should. otherwise interoperating with ssh.com is not possible.
OK, so you want to have the ssh.com client behaviour, but not the ssh.com
server behaviour. <sigh> Make up your mind - are you being strict, or
compatable? If you can't make up your mind, put in Yet Another Option (what
fun...).
> i think hostbased authentication never has been intended for this.
Simple example. You have a server outside an application proxy firewall.
You don't want random Internet crackers going at your server. You can
restrict by IP address, but we all know how secure _that_ is (ha!). So I
want to only allow certain systems to connect. Of course to do this, and
still require a user to authenticate with a password or rsa key or
whatever, you have to implement my partial auth patch ;-)
> especially since rhosts-rsa requires a privileged source port.
Not unless you're really stupid and make it require a priv port. It
provides _zero_ additional security, and breaks things. We had this
argument ages ago, and I thought I'd convinced everyone. I'll refrain from
repeating myself - read the archives if anyone cares.
--
Carson
More information about the openssh-unix-dev
mailing list