Host verification problem
Gert Doering
gert at greenie.muc.de
Mon May 16 08:01:12 EST 2005
Hi,
On Sun, May 15, 2005 at 11:56:03PM +0200, Hadmut Danisch wrote:
> On Sun, May 15, 2005 at 11:43:12PM +0200, Gert Doering wrote:
> >
> > If you want to argue that way: it's time to go to IPv6, and leave NAT
> > behind.
>
> Oh great. Would you please make all the involved providers, machines,
> and firewalls use IPv6 next week?
My provider, machines, and firewalls do IPv6 just fine.
> This is one of the most stupid answers I've ever got.
> Security by ignorance.
This has nothing to do with "security by ignorance".
You're the one that tells us "NAT is a great thing" - it isn't. It's
a major pain, and you're feeling some of it by trying to hack around it.
You don't want to understand that *NAT* is the cause of your pain, not ssh.
Even if you assume IPv6 won't happen - there still are better solutions
than to go with NAT (and with a reasonable ISP you can even today get
any amount of IPv4 addresses if you can document the need).
> Do you really believe a security tool like ssh is the place to
> fight your personal religious war?
*I* didn't start argueing with "assumptions of the past".
> (BTW: Have a look at Bruce Schneier's latest cryptogram. He is
> pointing out a security problem with the host key file. Maybe it would
> be better to care about security than to dance around the
> holy grail IPv6. Most providers don't even have plans to invent it.
> Focus on security, not religion.)
The SSH developers do (focus on security). They have an answer for you.
You don't like the answer. Who is religious here?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the openssh-unix-dev
mailing list