From owner-freebsd-stable Mon Jul 29 13: 9: 8 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAF2637B401 for ; Mon, 29 Jul 2002 13:09:05 -0700 (PDT) Received: from raven.ravenbrook.com (raven.ravenbrook.com [193.82.131.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B94043E67 for ; Mon, 29 Jul 2002 13:09:03 -0700 (PDT) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (thrush.ravenbrook.com [193.112.141.249]) by raven.ravenbrook.com (8.11.6/8.11.6) with ESMTP id g6TK8vW69718; Mon, 29 Jul 2002 21:08:57 +0100 (BST) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (localhost [127.0.0.1]) by thrush.ravenbrook.com (8.12.2/8.12.2) with ESMTP id g6TKA0UK025472; Mon, 29 Jul 2002 21:10:00 +0100 (BST) (envelope-from nb@thrush.ravenbrook.com) From: Nick Barnes To: Nick Sayer Cc: freebsd-stable@FreeBSD.ORG Subject: Re: telnet "SRA secure login" fails intermittently In-Reply-To: Message from Nick Sayer of "Mon, 29 Jul 2002 10:03:36 PDT." <3D457568.9070704@kfu.com> Date: Mon, 29 Jul 2002 21:10:00 +0100 Message-ID: <25471.1027973400@thrush.ravenbrook.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 2002-07-29 17:03:36+0000, Nick Sayer writes: > Nick Barnes wrote: > >[examples of the same password both working and not working with SRA > telnet] > > Hi. I initially imported SRA into the tree. I see this periodically too, > and have since day one. I suspect when it picks its DH components there > is an occasional rounding error in there somewhere which ends up keeping > both sides from being able to agree. The only thing to do about it is > break the connection and try again. > > SRA was imported when there was no other way to remotely access a newly > installed FreeBSD machine without exposing the root password at least > once (to do the make install on the ssh port). Shortly after SRA was in, > openssh was imported, which sort of made it a moot point. SRA's DH > constants are too small for today's CPU horsepower and it is vulnerable > to MiM (but then, so is ssh unless you actually verify the host keys > first using a trusted channel) and it is not extensible. But it is > better than plaintext. Can you say some more about what SRA is? It's not in the telnet or telnetd man pages. I would be happy to delve into the sources and help fix this. Maybe we should take this off-line. Nick B To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message