Host verification problem

Gert Doering gert at
Mon May 16 08:01:12 EST 2005


On Sun, May 15, 2005 at 11:56:03PM +0200, Hadmut Danisch wrote:
> On Sun, May 15, 2005 at 11:43:12PM +0200, Gert Doering wrote:
> > 
> > If you want to argue that way: it's time to go to IPv6, and leave NAT
> > behind.  
> Oh great. Would you please make all the involved providers, machines,
> and firewalls use IPv6 next week?

My provider, machines, and firewalls do IPv6 just fine.

> This is one of the most stupid answers I've ever got.
> Security by ignorance.

This has nothing to do with "security by ignorance".  

You're the one that tells us "NAT is a great thing" - it isn't.  It's 
a major pain, and you're feeling some of it by trying to hack around it.  
You don't want to understand that *NAT* is the cause of your pain, not ssh.

Even if you assume IPv6 won't happen - there still are better solutions
than to go with NAT (and with a reasonable ISP you can even today get
any amount of IPv4 addresses if you can document the need).

> Do you really believe a security tool like ssh is the place to 
> fight your personal religious war? 

*I* didn't start argueing with "assumptions of the past".

> (BTW: Have a look at Bruce Schneier's latest cryptogram. He is 
> pointing out a security problem with the host key file. Maybe it would
> be better to care about security than to dance around the 
> holy grail IPv6. Most providers don't even have plans to invent it.
> Focus on security, not religion.)

The SSH developers do (focus on security).  They have an answer for you.  
You don't like the answer.  Who is religious here?

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at
fax: +49-89-35655025                        gert at

More information about the openssh-unix-dev mailing list