Subject: Re: ssh config path change (/etc -> /etc/ssh))
To: None <xs@kittenz.org.cd.worst.com>
From: Evil Erik <cyber@ono-sendai.com>
List: tech-security
Date: 03/14/2002 13:34:15
On Thu, Mar 14, 2002 at 12:02:07PM +0000, xs@kittenz.org.cd.worst.com wrote:
> on Thu, Mar 14, 2002 at 03:49:39AM -0500, Brian A. Seklecki wrote:
> > But is convenience worth sacrificing security integrity?
>
> If users aren't aware that shelling into their Linux 486 is faster than
> shelling into the same box running NetBSD is because NetBSD defaults to
> SSH2, it's going to lead to "NetBSD is so much slower than Linux, I think
> I'll stick with Linux." s/Linux/whateveros/g
>
> As long as a secure default is documented with the fact it does cause
> this slow down and you can speed it up, sacrificing security, by using
> SSH1, then I think it's a good idea.
Fail Safe. We dont even enable sshd by default. A couple lines
of documentation near where one would look to throw the switch
should help dramatically. (ie: in the man page, and in
/etc/defaults/rc.conf )
> > *) Consequently the first run (rc.d/sshd keygen) will run more quickly as
> > there will only be 1 key to generate as opposed to 3.
>
> DSA key generation is much slower than RSA. Time for RSA key generation
> becomes quite small compared to DSA. I think it's a good idea to keep
> all three keys generated, because otherwise if /etc/ssh/sshd.conf
> is changed so SSH1 is enabled, there won't be an RSA1 key for it to use.
This shouldnt happen all that often. I still have a collection of
slow machines (ss1, ss1+, sun3/*, multias) that occasionally come
online via a netboot. (Lets ignore the netboot/NFS specific issues,
its not germain to the discussin.) Yes, it take them a while to
generate the keys each time i test out a new tree for the first
time. I get over it. Point being, its there for people to adjust
as they see fit.
> OpenSSH is a secure reimplementation of SSH (the implemenation) not
> a secure implementation of SSH (the protocol), imho.
And definitely not a secure redesign of the protocol.
-=erik.