Connection caching?

[Damien Miller]

Jefferson Ogata wrote:

> Damien Miller wrote:
> 
>>You miss the point: these controls are useless now, if they depend on
>>the integrity of an uncontrolled client.
> 
> I wouldn't agree that they're useless, but they're clearly incomplete, hence the 
> /need/ for a configuration directive.

We are going in circles. You don't seem to want to understand that if
you don't trust the client, then no amount of server configuration is
going to prevent them from being taken over.

> It disappoints me that you guys have so little concern about providing 
> controllable authentication mechanisms. You really just don't get how dumb it is 
> to have implemented this feature in the server /without/ having provided a 
> configuration directive to control it, do you?

No, obviously I don't. Neither, obviously, did any of the authors of
the SSH v.2 protocol where this capability is pretty much mandated
by the spec.

On the other hand, maybe we just understand the implications of
allowing an uncontrolled client to authenticate better than you. Please
think this through before throwing more insults around.

> As for writing a patch, I wrote a patch ("Requiring multiple auth mechanisms") a 
> few weeks ago and submitted it to the list. I didn't get one useful bit of 
> feedback, or any indication whatever that the maintainers even understood the 
> purpose of the patch.

We have lives outside of OpenSSH and sometimes we are too busy to
jump when you expect us to. Especially for patches against a 2 year
old version.

Please post your patch to bugzilla, a service that is provided so
things like that don't get lost.

-d