From owner-freebsd-questions Mon Oct 29 17:13:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id 9587637B40B for ; Mon, 29 Oct 2001 17:13:32 -0800 (PST) Received: from user-33qtnbj.dialup.mindspring.com ([199.174.221.115] helo=gohan.cjclark.org) by robin.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 15yNT9-00024A-00; Mon, 29 Oct 2001 17:13:32 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id f9U0u1u00499; Mon, 29 Oct 2001 16:56:01 -0800 (PST) (envelope-from cjc) Date: Mon, 29 Oct 2001 16:56:01 -0800 From: "Crist J. Clark" To: Kutulu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Two sshd questions... Message-ID: <20011029165601.D224@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <003901c16000$ee0b0290$88682518@longhill1.md.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003901c16000$ee0b0290$88682518@longhill1.md.home.com>; from kutulu@kutulu.org on Sun, Oct 28, 2001 at 05:36:01PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 28, 2001 at 05:36:01PM -0500, Kutulu wrote: > Two (unrelated) questions regarding ssh, and OpenSSH in particular: > > 1. Is there a way to prevent the ssh client from overriding options in > /etc/ssh/ssh_config? Not without hacking the source code to prevent it. Even if you do, how do you plan to prevent the user from downloading his own version of SSH to his account without the customizations? > 2. A more 'best practices' questions: Which is the preferred version of ssh > to be running? IMHO (and this is probably the majority opinion), the latest version of your favorite vendor's (like OpenSSH) SSH2 client is the way to go. There are fundamental design issues in the SSH1 protocol which make it inherently less secure than SSH2. As for DSA versus RSA, there is an old saying, "If the cryptography is the weakest part of your protocol, you have the world's most secure protocol." From a practical standpoint, DSA and RSA keys are not breakable. It's kind of like worrying about 128-bit versus 112-bit symetric keys. Nobody can crack 112-bits before the sun dies out, so why worry. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message