Potential SSH2 exploit
Dave Dykstra
dwd at bell-labs.com
Sat Jan 19 09:08:41 EST 2002
I'm sorry for taking so long to respond.
On Sat, Jan 12, 2002 at 12:22:20AM -0800, David Terrell wrote:
> On Fri, Jan 11, 2002 at 04:51:56PM -0600, Dave Dykstra wrote:
> > That would be of some help; make the warning stronger if there is a known
> > key of another type. Hey, for that matter why not print out the big
> > warning that somebody could be doing something nasty? It's really no
> > different if somebody has exchanged one RSA key for another than if they've
> > exchange one RSA key for a DSA key. Right? That would be a simple fix.
>
> It is different.
>
> In once case, you have unverified credentials, in another case you have
> clearly wrong credentials.
Well it's not the same thing as a brand new host with no credentials.
Maybe a compromise message should be printed, but I don't think it should
be the same message as a new host.
> Some people have been lazy about generating ssh2 rsa keys you know :)
What's that got to do with it?
- Dave Dykstra
More information about the openssh-unix-dev
mailing list