BadOption failures "annoying"
Damien Miller
djm at mindrot.org
Sun Oct 7 15:46:56 EST 2001
On Sun, 7 Oct 2001, Philipp Buehler wrote:
> Ok, <paranoia> It's better to refuse starting then *maybe* in an
> insecure configuration mode </paranoia> .. and yes <pedantic> test
> your stuff before restarting </pedantic> ..
Exactly. We even provide a commandline switch (sshd -t) which will
test configs for you.
> but hey, sometimes
> you are in a hurry .. :-} Or imagine a nulled configuration file
> (FS fuckup, whatever) sshd will start also.. w/ possible insecure
> configuration ....
sshd's config is secure by default.
> same for removing 'cipher none' .. ever
> thought of IPsec connected LANs where maybe a slow machine is
> connected with "trusted cables" to the IPsec gateway.. it's nice to
> still have public keys but not the crypting overhead while "work"
> and it's still encrypted via the untrusted path..
If you want rlogin, then use rlogin.
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list