Warning message at password prompt

Edward Avis epa98 at doc.ic.ac.uk
Thu Feb 14 22:55:02 EST 2002

Hash: SHA1

On Thu, 14 Feb 2002, Damien Miller wrote:

>>>Why don't you send a debugging message from kex.c if you negotiate
>>>cipher none in either direction?
>>So it is kex.c that negotiates the cipher to use.  And this is
>>negotiated just once at the start of the connection.  (Just checking)
>Renegotiation may happen at any time.

That's what I was afraid of.  I really only want to look at the cipher
used at the time the password prompt is printed.  I assume this will
always be the same cipher used to send the password.

Hang on - I know that a new key(s) can be chosen at any time, but can
the actual cipher used change?  If I start a connection using 3DES, can
it suddenly change to Blowfish due to renegotiation?  This is surely
impossible in practice unless the server's preferences change.

>You could use an approach like I do in my keynote policy patch[1] and
>pull the cipher out of packet.c. You can then test the cipher at the
>time of the prompt directly.

>[1] http://www.mindrot.org/~djm/ssh-keynote/ssh-keynote-20020214.diff

Thanks, I will have a look at this.

- -- 
Ed Avis <epa98 at doc.ic.ac.uk>
Finger for PGP key
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the openssh-unix-dev mailing list