Warning message at password prompt
mouring
mouring at etoh.eviladmin.org
Sun Feb 17 01:03:34 EST 2002
On Sat, 16 Feb 2002, Edward Avis wrote:
[..]
> Another interesting possibility is to start off with say 3DES for the
> initial authentication and sending of passwords, then renegotiate to
> none or some faster cipher to send most of the data. But that is beyond
> the scope of what I want to do.
>
Renegotiation can only be done by the server. Therefor you would either
need to set the rekeying option to some insanely low time and pray to
god the user made it in time. Then you would be interrupted consistant for
rekeying which would have impact on preformance of the protocol and
preformance of the server/client involved (rekey is still expensive
on slower boxes)..
Or con someone at ssh-ietf at netbsd.net to change the current IETF draft--
that is a year over due for RFC publishing--to allow the client to
request a rekey. Which in and of itself could be a resource attack
unless you limit the client's rekey requests to post-authenitification.
I really dislike the idea of -c 'none'. If I wanted -c 'none' I'd use
rsh/telnet/ftp/rcp/etc. RSA/DSA keys are not enough of a bonus in my
view to prompt ssh as a 'glorified telnet'.
=) But that is just my world view. I don't expect people to agree
with me on my personal beliefs (gawd would that be a boring world and
one I could not live in.. UGH).
- Ben
More information about the openssh-unix-dev
mailing list