Full FreeBSD patchset
Damien Miller
djm at mindrot.org
Mon Aug 5 13:43:55 EST 2002
On Mon, 2002-08-05 at 08:02, Ben Lindstrom wrote:
> I don't know about everyone else's view. But I don't like this. You are
> forcing policy that should not be forced. Users make policy. Not
> software. And as an admin at my work my policy is RSA over DSA. Mainly
> because it is established and well known. DSA does not have a long enough
> track record. However, I'd never force anyone to use RSA over DSA based
> my company's beliefs.
Actually, RSA is a better choice when the source of random numbers is
suspect (such as many commerical Unices), read WARNING.RNG in the
portable distribution for more details. RSA auth also seems to be a lot
quicker than DSA on slow machines.
That being said, DSA is a MUST in the protocol while RSA is optional.
Putty have a modification to DSA which makes it more secure in the face
of guessable nonces, it would be good if we got something similar.
> > We use our own PAM code, which wraps PAM in a KbdintDevice and
> > works with privsep, instead of OpenSSH's own PAM code.
>
> I could have swore we agree this code should be merged into one place for
> PAM code. Having a seperate file is wrong. Plus I could have swore the
> agreement was to move to 2-clause.
I would still like to see that code merged (I would have sooner, but for
moving house). If someone could shoot me an up-to-date diff, I'll take
another look.
-d
More information about the openssh-unix-dev
mailing list