From owner-freebsd-questions Tue May 30 8:31:36 2000 Delivered-To: freebsd-questions@freebsd.org Received: from dazed.slacker.com (dazed.slacker.com [208.15.208.76]) by hub.freebsd.org (Postfix) with SMTP id F122537BDF1 for ; Tue, 30 May 2000 08:31:18 -0700 (PDT) (envelope-from nugget@dazed.slacker.com) Received: (qmail 31678 invoked by uid 1000); 30 May 2000 15:31:16 -0000 Date: Tue, 30 May 2000 10:22:02 -0500 From: David McNett To: Doug Barton Subject: Re: telnet software Message-ID: <20000530102202.A30878@dazed.slacker.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" X-Mailer: Mutt 1.0.1i X-Operating-System: FreeBSD 4.0-STABLE i386 X-Distributed: Join the Effort! http://www.distributed.net Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On 30-May-2000, Doug Barton wrote: > David McNett wrote: > > On 26-May-2000, Chris Fedde wrote: > > >I've looked at this recently (with a view to supporting ssh-v1) I find= that > > >tterm has superior user interface and emulation to putty. For shear > > >accuracy of emulation though, I'd go with kermit. > >=20 > > As far as putty is concerned, I've never been comfortable running an ssh > > client by someone who not only refuses to implement rsa authentication, > > but also seems to lack understanding as to why rsa authentication is a = good > > thing to have. >=20 > That is a mischarecterization of the author's position, which can be > found at the end of > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist.html. If you > don't want to use putty, don't. But please don't cast aspersions on > someone just because they don't agree with the "wisdom" of your > position. Personally I agree that trying to do something like RSA > identity file authentication from a windows machine is a giant security > nightmare.=20 >=20 > I've used putty for a year and a half now, and I've found it to be > ideal for the niche that it's designed to occupy. I've corresponded with > the author (in the course of tracking down a display bug) and found him > to be both responsive and sharp.=20 Doug: I'm pleased that you've had a rewarding experience with putty, and I'm sorry that your familiarity and personal history with its author make my position distasteful to you. Although I've never had the benefit of dir= ect=20 correspondence with Mr Tatham, I have no reason at all to think that's he's= =20 anything but a great guy. I'm hardly casting aspersions on Mr Tatham. Now= here have I commented on his character or personality. I can only base my opinion on his web site, which you've so considerately pointed to. I see that it's unchanged since the last time I looked. I am confused how my statement is a mischaracterization of his position. I take specific exception to the following: Implausible feature wish list These are features I will probably never get round to adding myself. I wouldn't be opposed to seeing them written, but if it happens somebody else will have to do it, because they're big and complicated and I wouldn't use them enough myself to justify spending all that effort.=20 o Forms of SSH authentication other than password. I don't believe many of these can be made sensibly secure from a Windows box, even NT, and the ones that can tend to require the client to perform RSA private-key operations, which my current RSA code is too slow to do usefully. Plus they involve more typing than a password.=20 Personally, I find this to be a gross mischaracterization of the purpose of= RSA authentication. RSA authentication is desirable for a variety of reasons, none of which have anything to do with the amount of typing required by the user. For someone who has undertaken the development and maintenance of an= ssh client, I find this apparent misunderstanding distressing. The decision to= not support RSA authentication is fine, but to misrepresent (or, it would appea= r, to misunderstand) its use casts significant doubt in my mind. I support his decision to not support RSA authentication, especially in lig= ht of the fact that his code is too slow to be useful, but the fact that he se= ems to completely misunderstand why one would want or need RSA authentication= =20 leaves me questioning his ability to implement any aspect of ssh. Lastly, your restatement of his position seems to be in conflict with the wish list you've quoted. Mr Tatham does not appear to be making the statem= ent that supporting RSA authentication is a "security nightmare". To quote: "I don't believe many of these can be made sensibly secure from a Windows box, even NT,..." I assume that here he is referring to rhosts, kerberos, or perhaps even s/k= ey authentication. "...and the ones that can [be implemented securely on a windows box] tend= to require the client to perform RSA private-key operations, which my curre= nt RSA code is too slow to do usefully." I see here that he is not making the claim that it's insecure to implement= =20 RSA auth from a win32-based client, but rather simply stating that his own implementation is inadequate to be useful. In fairness, he also acknowledges that developing a product that uses the currently patent-protected RSA algorithm is problematic. This is another valid reason to not support RSA auth. It is, however, unrelated to your depiction of his views. In summary, I've not cast any aspersions on Mr Tatham. I've simply express= ed that I have difficulty trusting someone who displays an apparent lack of=20 understanding regarding the protocol that their product ostensibly exists to support. I'm not claiming to be wise. I am just questioning the wisdom of hanging t= he=20 security of your communications on the capabilities of someone who appears = to lack the (I feel) required background and perspective to appropriately deve= lop ssh client software. There are untold millions of folks who are both sharp and responsive who are, despite that, still unqualified to do secure softwa= re design.=20 Thanks for your mail. I'm sorry that you were offended by my post to the mailing list. I hope this helps clarify my position, which was perhaps=20 stated to the list too briefly. Warmly, David McNett nugget@slacker.com --=20 ________________________________________________________________________ |David McNett |To ensure privacy and data integrity this message has| |nugget@slacker.com|been encrypted using dual rounds of ROT-13 encryption| |Birmingham, AL USA|Please encrypt all important correspondence with PGP!| --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGP 5.0 MessageID: LL5ufEo+xC6MuPq8T80W0ATFgrLn1wiX iQA/AwUBOTPOirN5xKXkPF/DEQL4xACg5ueoHyXp2LK3X8rHy9UofLBT9usAoO9P WwG/NGRJZXUoD694u8D0q+lv =DRHN -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message