ideas 2

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Wed Jul 28 09:20:54 PDT 2004


On 28.07.2004, at 18:07, Ed wrote:

hey,

2) By default ssh and sshd can automatically switch to the obsolete SSH
protocol v1 if one of the two doesn't support v2. I'm asking to remove 
this
automatic process, letting the user manually choose obsolete v1 using 
"ssh
-1" command.
DragonFly's sshd doesn't use ssh1 by default.

3) Obsolete SSH protocol v1 key is only 768 bits long and it's 
regenerated
every hour. Even if I suggest not to use v1, I think it can be better 
to
increase the keysize to 1024.
n/a as we don't have ssh1 enabled in the default install

5) I would suggest to modify the current banner of sshd so that it 
would seems
a clean installation of OpenSSH-portable. Using a special banner is a 
good
way to let everyone know if you're vulnerable to some attacks. Like 
happened
with Apache worms that were looking for particular versions/platform.
this is security by obscurity and doesn't help except maybe agains 
script kiddies.

6) DF is a complete OS and so you can have your own needs. This should 
let you
ask for commits on external projects like OpenSSH-portable and 
OpenSSL. What
I'm suggesting is to import their code as they release it and send 
them any
patch so that they'll be the real maintainers of the code. This can be 
easy
if you think at #ifdef and ./configure --host=DragonFlyBSD. This 
should save
DF developers time and keep original authors working on their projects 
for
you.
we are doing that already, afaik

cheers
  simon
--
/"\
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News
Attachment:
PGP.sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00015.pgp
Type: application/octet-stream
Size: 186 bytes
Desc: "Description: This is a digitally signed message part"
URL: <http://lists.dragonflybsd.org/pipermail/kernel/attachments/20040728/3c008413/attachment-0015.obj>


More information about the Kernel mailing list