BadOption failures "annoying"

Damien Miller djm at
Sun Oct 7 15:46:56 EST 2001

On Sun, 7 Oct 2001, Philipp Buehler wrote:

> Ok, <paranoia> It's better to refuse starting then *maybe* in an
> insecure configuration mode </paranoia> .. and yes <pedantic> test
> your stuff before restarting </pedantic> .. 

Exactly. We even provide a commandline switch (sshd -t) which will 
test configs for you.

> but hey, sometimes
> you are in a hurry .. :-} Or imagine a nulled configuration file
> (FS fuckup, whatever) sshd will start also.. w/ possible insecure
> configuration ....

sshd's config is secure by default.

> same for removing 'cipher none' .. ever
> thought of IPsec connected LANs where maybe a slow machine is
> connected with "trusted cables" to the IPsec gateway.. it's nice to
> still have public keys but not the crypting overhead while "work"
> and it's still encrypted via the untrusted path..

If you want rlogin, then use rlogin.


| Damien Miller <djm at> \ ``E-mail attachments are the poor man's 
|          /   distributed filesystem'' - Dan Geer

More information about the openssh-unix-dev mailing list