From owner-freebsd-current  Sun Feb 27  1: 5:34 2000
Delivered-To: freebsd-current@freebsd.org
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2523837B52B; Sun, 27 Feb 2000 01:05:23 -0800 (PST)
	(envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
	by resnet.uoregon.edu (8.9.3/8.9.3) with ESMTP id BAA99884;
	Sun, 27 Feb 2000 01:05:20 -0800 (PST)
	(envelope-from dwhite@resnet.uoregon.edu)
Date: Sun, 27 Feb 2000 01:05:20 -0800 (PST)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Kris Kennaway <kris@FreeBSD.ORG>
Cc: Bjoern Groenvall <bg@sics.se>,
	"Jordan K. Hubbard" <jkh@zippy.cdrom.com>, current@FreeBSD.ORG,
	markm@FreeBSD.ORG
Subject: Re: OpenSSH /etc patch
In-Reply-To: <Pine.BSF.4.21.0002261535380.98970-100000@freefall.freebsd.org>
Message-ID: <Pine.BSF.4.21.0002270102300.63350-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, 26 Feb 2000, Kris Kennaway wrote:

> On 26 Feb 2000, Bjoern Groenvall wrote:
> 
> > Right, the code does not lie (if ssh is setuid root). But, if the host
> > key has not yet been created, then no host can have the public key and
> > thus rsa-rhosts authentication won't work anyways. It is not required
> > to run ssh-keygen to make ssh work, Sshd still requires the host key
> > to operate.
> 
> I don't follow you - if no host key is generated, then you can't ever use
> the RSA-rhosts authentication mechanism to log into another server until
> you do. Thus part of ssh's functionality is broken until you generate that
> key, so we do it for you the first time you boot.

I was under the impression that host keys are exchanged before the
authentication type is selected, so a) the identity of the remote is
compared to known_hosts and reacted to accordingly, and b) the remainder
of the session is encrypted no matter what auth type (so, i.e., the
password is encrypted if RSA keys are not used).

I'm thinking of the old/stock sshd, not OpenSSH, but I'm not aware of that
big a change.  If I'm wrong please beat me over the head with a large
metal object and carry on like nothing happened. :)

Doug White                    |  FreeBSD: The Power to Serve
dwhite@resnet.uoregon.edu     |  www.FreeBSD.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message