From owner-freebsd-arch  Tue Oct 10 10:50:11 2000
Delivered-To: freebsd-arch@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 5C21037B503
	for <arch@FreeBSD.org>; Tue, 10 Oct 2000 10:50:09 -0700 (PDT)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA29819;
	Tue, 10 Oct 2000 13:48:42 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Tue, 10 Oct 2000 13:48:41 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Matt Dillon <dillon@earth.backplane.com>
Cc: Kris Kennaway <kris@citusc.usc.edu>,
	Terry Lambert <tlambert@primenet.com>, arch@FreeBSD.org,
	Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Warner Losh <imp@village.org>,
	Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl>
Subject: Re: cvs commit: src/etc inetd.conf
In-Reply-To: <200010101729.e9AHTe913811@earth.backplane.com>
Message-ID: <Pine.NEB.3.96L.1001010133649.28422C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Tue, 10 Oct 2000, Matt Dillon wrote:

>     Most people don't care, they just type 'yes' when ssh complains about
>     seeing a new host for the first time and it gets recorded.  So why should
>     they care on a first-time install?  I certainly don't care...  while it
>     is entirely proper for ssh to complain, it doesn't follow that a sysop
>     has to listen to it.  
> 
>     This is certainly not a show stopper.  Besides, you get no assurances at
>     all with telnet so this point isn't really relevant to the discussion.

It was my distinct impression we were talking about secure remote log-ins,
not administrators ignoring proper security procedures.  I'm sorry to hear
that Best was vulnerable to man-in-the-middle attacks, but I'm not sure
that has any bearing on the conversation (and it's probably not something
you want to share on public mailing lists). 

The point in bringing it up was that unless you go through the proper
keying procedure, you don't gain much by switching to a keyed protocol
from an un-keyed one.  If we have a system in which it is impossible to
follow the correct procedure, then it's arguable that forcing people to
use the keyed protocol has no security benefit.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message