Legacy option for key length?

Nico Kadel-Garcia nkadel at gmail.com
Wed Jan 3 06:12:45 AEDT 2018


On Tue, Jan 2, 2018 at 11:13 AM, Cedric Blancher
<cedric.blancher at gmail.com> wrote:

> There is a simple solution: Hardware certified per MIL standards (US
> DOD MIL standards) support kerberized telnet, so ssh can be declared
> as "not needed" / "obsolete" for that purpose.

And "if wishes were fishes, we'd all swim in riches". Kerberized
*anything* requires a Kerberos server, a really reliable server or set
of servers, to manage the credentials. Many "kerberized telnet" setups
don't actually use the Kerberized telnet protocols on port 6623, they
just use the telnetd on port 23 of the telnetd server to authenticate
the user against the Kerberos server. And many obsolete, setups don't
even bother with *that*.  Been there, done that, should have gotten
the T-shirt.

I'm afraid that many admins, even in DoD environments, fail to bother
with setting up these kinds of basic protections. Explaining the
distinctions can be... adventuresome.



More information about the openssh-unix-dev mailing list