Full FreeBSD patchset

Damien Miller djm at mindrot.org
Mon Aug 5 13:43:55 EST 2002


On Mon, 2002-08-05 at 08:02, Ben Lindstrom wrote:

> I don't know about everyone else's view.  But I don't like this.  You are
> forcing policy that should not be forced.  Users make policy.  Not
> software.  And as an admin at my work my policy is RSA over DSA.  Mainly
> because it is established and well known.  DSA does not have a long enough
> track record.  However, I'd never force anyone to use RSA over DSA based
> my company's beliefs.

Actually, RSA is a better choice when the source of random numbers is
suspect (such as many commerical Unices), read WARNING.RNG in the
portable distribution for more details. RSA auth also seems to be a lot
quicker than DSA on slow machines.

That being said, DSA is a MUST in the protocol while RSA is optional.

Putty have a modification to DSA which makes it more secure in the face
of guessable nonces, it would be good if we got something similar.

> >    We use our own PAM code, which wraps PAM in a KbdintDevice and
> >    works with privsep, instead of OpenSSH's own PAM code.
> 
> I could have swore we agree this code should be merged into one place for
> PAM code.  Having a seperate file is wrong.  Plus I could have swore the
> agreement was to move to 2-clause.

I would still like to see that code merged (I would have sooner, but for
moving house). If someone could shoot me an up-to-date diff, I'll take
another look.

-d






More information about the openssh-unix-dev mailing list