From owner-freebsd-stable  Mon Jul 29 10: 4: 3 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6917A37B400
	for <freebsd-stable@FreeBSD.ORG>; Mon, 29 Jul 2002 10:04:01 -0700 (PDT)
Received: from quack.kfu.com (adsl-67-113-12-90.dsl.snfc21.pacbell.net [67.113.12.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4E03F43E3B
	for <freebsd-stable@FreeBSD.ORG>; Mon, 29 Jul 2002 10:04:00 -0700 (PDT)
	(envelope-from nsayer@kfu.com)
Received: from kfu.com (gate.cenzic.com [66.237.77.34])
	(authenticated bits=0)
	by quack.kfu.com (8.12.3/8.12.3) with ESMTP id g6TH3rKi015648
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK);
	Mon, 29 Jul 2002 10:03:59 -0700 (PDT)
	(envelope-from nsayer@kfu.com)
Message-ID: <3D457568.9070704@kfu.com>
Date: Mon, 29 Jul 2002 10:03:36 -0700
From: Nick Sayer <nsayer@quack.kfu.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020721
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Nick Barnes <Nick.Barnes@pobox.com>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: telnet "SRA secure login" fails intermittently
References: <24197.1027939929@thrush.ravenbrook.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Nick Barnes wrote:
 >[examples of the same password both working and not working with SRA 
telnet]

Hi. I initially imported SRA into the tree. I see this periodically too, 
and have since day one. I suspect when it picks its DH components there 
is an occasional rounding error in there somewhere which ends up keeping 
both sides from being able to agree. The only thing to do about it is 
break the connection and try again.

SRA was imported when there was no other way to remotely access a newly 
installed FreeBSD machine without exposing the root password at least 
once (to do the make install on the ssh port). Shortly after SRA was in, 
openssh was imported, which sort of made it a moot point. SRA's DH 
constants are too small for today's CPU horsepower and it is vulnerable 
to MiM (but then, so is ssh unless you actually verify the host keys 
first using a trusted channel) and it is not extensible. But it is 
better than plaintext.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message