VisualHostKey vs. RekeyLimit vs. VerifyHostKeyDNS
Gerald Turner
gturner at unzane.com
Sat Jan 4 06:03:07 EST 2014
Damien Miller <djm at mindrot.org> writes:
> On Thu, 2 Jan 2014, Gerald Turner wrote:
>> Every time the cipher is re-keyed, VisualHostKey clobbers the
>> terminal, usually with broken line feeds such that the ascii-art is
>> unintelligible and wraps off the right side of the terminal. This is
>> annoying, especially with a screen(1) full of ssh sessions that may
>> be idle and re-keyed several times over a weekend, coming back and
>> having to work through clearing the screens of each session (^L
>> suffices for a shell or emacs, but sometimes the session is in a
>> curses application, or lost information while tailing a log, etc.).
>> This gets uglier when making use of the fantastic ControlPersist
>> options - seemingly logged out ssh session still blast the initial
>> terminal with re-keying fingerprints.
>
> Could you please file a bug for this on https://bugzilla.mindrot.org/
> ? We should suppress the message on rekeying.
Opened https://bugzilla.mindrot.org/show_bug.cgi?id=2194
Thanks!
>> It seems VerifyHostKeyDNS=yes short-circuits VisualHostKey - it's
>> neither displayed on initial connection, or on re-keying (good).
>
> If you really want to see it, maybe we could make a
> VisualHostKey=always option?
Actually I'm fine with VerifyHostKeyDNS=ask (was only using 'yes' as an
intermediate hack to get rid of the fingerprint spam).
>> P.S. I think it's wonderful you folks are working on curve25519,
>> ed25519, and chacha20+poly1305. I've moved a bunch of systems to
>> ECDHE last year, great speedup, especially from crap Atom clients,
>> but feel that I've shot myself in the foot after Schneier's
>> denouncement of the NIST curves.
>
> IMO the concerns about the NIST EC curves are a bit overblown. If the
> NSA had some way of breaking EC directly, then they wouldn't need to
> resort to things like Dual_EC_DRBG.
Nevertheless, the "Safe Curves" work by DJB and Tanja Lange is rather
convincing that we should have better curves than the NIST curves:
http://safecurves.cr.yp.to/
--
Gerald Turner Email: gturner at unzane.com JID: gturner at unzane.com
GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140103/be85d5e8/attachment.bin>
More information about the openssh-unix-dev
mailing list