Date: Sun, 2 Jan 2000 14:46:49 -0500 (EST) From: Brian Fundakowski Feldman <green@FreeBSD.org> To: Markus Friedl <markus.friedl@informatik.uni-erlangen.de> Cc: David Rankin <drankin@bohemians.lexington.ky.us>, "Michael H. Warfield" <mhw@wittsend.com>, Dug Song <dugsong@monkey.org>, security@FreeBSD.org, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH protocol 1.6 proposal Message-ID: <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org> In-Reply-To: <20000102151208.A21548@folly.informatik.uni-erlangen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Jan 2000, Markus Friedl wrote: > On Sun, Jan 02, 2000 at 06:15:48AM -0500, David Rankin wrote: > > Speaking completely without facts, I am personally skeptical about > > enhancing the 1.x protocol when all of the standards processes are > > focused on getting 2.0 out the door. That said, I am willing to be > > convinced on the matter. > > i have put the latest revisions of my SSH 1.6 patches to > http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/ My concern here is, how much does it convolute the code? I believe that it's probably not as useful to make the old SSH 1.X protocol as infinitely more secure as it is useful to make OpenSSH support the 2.X protocol. > > basically they consist of: > (1) CRC is replaced with hmac-sha1 + sequence-numbers. the bytes > needed for the hmac-key are taken from the shared session-key I really don't see why we should need sequence numbers if we do a continuous SHA-1 hash of the entire stream. Are you proposing just one use per SHA_CTX, each packet having its own independent hash and sequence number? > (2) authentication for parameters passed in the clear: the session-id > is extended from > session_id := MD5 (host_key_n |session_key_n|cookie); > to > session_id := MD5 (host_key_n |session_key_n| > supported_ciphers|supported_authentications| > client_flags|server_flags| > client_version_string|server_version_string| > cookie); That does sound better, although I wouldn't know ow much better than before. > > and yes, having openssh speak SSH-2.0 would be nice. > mail me if you are interested in helping implement 2.0. Of course! > > -markus > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10001021441330.8076-100000>