From owner-cvs-all Fri Sep 28 10:47:54 2001 Delivered-To: cvs-all@freebsd.org Received: from green.bikeshed.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 959C637B406; Fri, 28 Sep 2001 10:47:45 -0700 (PDT) Received: from localhost (green@localhost) by green.bikeshed.org (8.11.4/8.11.1) with ESMTP id f8SHlhG59474; Fri, 28 Sep 2001 13:47:43 -0400 (EDT) (envelope-from green@green.bikeshed.org) Message-Id: <200109281747.f8SHlhG59474@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: nate@yogotech.com (Nate Williams) Cc: Kris Kennaway , Mike Silbersack , Brian Feldman , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/crypto/openssh atomicio.h auth-chall.c auth2-chall.c canohost.h clientloop.h groupaccess.c groupaccess.h kexdh.c kexgex.c log.h mac.c mac.h misc.c misc.h pathnames.h In-Reply-To: Message from Nate Williams of "Fri, 28 Sep 2001 08:46:01 MDT." <15284.36137.254842.551909@nomad.yogotech.com> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 28 Sep 2001 13:47:43 -0400 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Nate Williams wrote: > > > > The only difference between this and what's in -CURRENT is that the > > > > default /etc/ssh/ssh_config sets "Protocol 1,2" for all hosts. This can > > > > be overrided entirely in user ~/.ssh/config files, as always. > > > > > > Are there known compatibility problems with version 2 that this works > > > around, or is this just so that people don't get surprised when they need > > > to verify a new host key? > > > > If you change the protocol to 2,1 then your version 1 RSA keys won't > > be used by default > > Ok so far. > > > because if the server can speak the ssh2 protocol > > then the client will try to auth with SSH2 keys first (which probably > > wont be set up to work, or may have different passphrases, etc) and > > then fall back to SSH2 password auth. > > So, in other words, there is really no point in having both protocols > listed in the same line, since only one protocol is ever attempted. > > A better description of the protocol line woudl be: > > "Protocol 1" > *OR* > "Protocol 2" > > Since in fact, it doesn't try the first protocol, and if it fails, then > try the second protocol. It always sticks with the primary protocol. It does try both, according to the preference order you specify. The problem is then that it doesn't try the other protocol if the first one fails at authentication. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message