IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SSH key algorithm updates
A universal extractor might have trouble with our stuff. We don't use Windows Installer (the thing is a nightmare), instead we pack a large BLOB with all the files, compress it with a compression library, and stuff the compressed BLOB as a resource into the installer executable.
If the extractor is universal enough to recognize the compressed resource, and its compression format, that would leave you with a BLOB containing all the files, on which you could run "strings". You're going to get loads of strings, however.
I agree that including the "none" user auth method should probably not be done, since it's usually supported as discovery rather than an authentication method, and it's hard to tell when it's supported for login (if ever).
Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost> , 11/8/2015 3:06 AM:
Max Horn <postbox%quendi.de@localhost> writes:
>That's what I've been doing for multiple entries in my list already; but it
>has limitation, e.g. if the binaries are wrapped in an installer, which
>contains only a compressed version of the actual executable.
There are a bunch of universal extractors that will bypass the need to
install, google "windows installer unpacker", so you don't need to install
random binaries on your system.
>It also can lead to inaccurate results, and does not reveal which methods are
>enabled/disabled by default, etc.
Yeah, that's a good point. OTOH you then need to do test runs on the app to
try and probe what's present and what isn't. It depends on how much time you
want to sink into it :-).
>Yes, I was (and am) having precisely the same concern. But now I am wondering
>whether I should just omit the "none" entry completely. After all, it either
>leaves an incorrect bad impression (if people read it as meaning that a
>server supports "non-as-auth" by default), and otherwise is useless, as it
>doesn't tell you whether it actually means it works as "none-as-query".
That sounds like a good idea. You more or less have to support none-as-query
in order to be able to communicate with some clients, so in theory every
implementation would have to have support for "none". OTOH I would imagine
few implementations allow you in without authentication, so few would suport
the other "none".
Oh, and you'll need to add columns for the SHA-2 forms of signatures soon :-).
Peter.
Home |
Main Index |
Thread Index |
Old Index