From owner-freebsd-security Wed Dec 20 19:32:49 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 19:32:45 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 9FA8737B400 for ; Wed, 20 Dec 2000 19:32:45 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBL3Wim62509 for ; Wed, 20 Dec 2000 19:32:44 -0800 (PST) Date: Wed, 20 Dec 2000 19:32:44 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikhail Kruk wrote: > In my experience due to bad administrators who screw up ssh installations > those keys change after every OS upgrade and users get used to answering > "yes" to this question. Bad administrators? You must be joking. You only need to look at a couple of the ssh ports to see where the problem is (in FreeBSD at least). For example, if I install ssh from ports it won't upgrade the pre-installed system ssh but will instead add a second copy in different directories. Now we have 2 (or more) different revisions on the same system and a user will get either one or the other depending on their $PATH. Second, while Kris Kennaway was good enough to upgrade ssh1 to check /etc/inetd.conf before installing a startup script none of the other ssh ports do this basic check. Third, the sshd_config and ssh_config defaults are less than optimal. Fourth, the error message triggered by a key change is too terse to be very helpful to your average end-user. IMHO, his has little or nothing to do with administrators or end-users. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message