From owner-freebsd-security Wed Mar 27 8: 8:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162]) by hub.freebsd.org (Postfix) with ESMTP id 9B96F37B419 for ; Wed, 27 Mar 2002 08:08:09 -0800 (PST) Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1) id 16qFsr-000Fuh-00; Wed, 27 Mar 2002 16:02:45 +0000 Date: Wed, 27 Mar 2002 16:02:45 +0000 From: Ceri To: Tom Rhodes Cc: Michael Lucas , dan@tangledhelix.com, freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020327160245.GA60990@submonkey.net> Mail-Followup-To: Ceri , Tom Rhodes , Michael Lucas , dan@tangledhelix.com, freebsd-security@FreeBSD.ORG References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020327110100.6d638389.darklogik@pittgoth.com> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 27, 2002 at 11:01:00AM -0500, Tom Rhodes wrote: > On Wed, 27 Mar 2002 07:42:36 -0500 > Michael Lucas wrote: > > > On Tue, Mar 26, 2002 at 06:16:34PM -0500, Dan Lowe wrote: > > > Previously, Mike Silbersack wrote: > > > > > > > > Yes, upgrading clients to v2 would be best. However, I don't > > > > think that locking out v1 users would be the best way to achieve > > > > that. The most likely result of doing so would be people > > > > falling back to telnet. > > > > > > On a system where security is of any concern whatsoever, why would > > > telnet be available in the first place? > > > > I just dealt with a group of "senior" admins here in Detroit who > > weren't familiar with the problems of telneting to their Ciscos. > > Ethereal was quite the shock to them. :-) > > > > It's taken us years to basically scrub telnet off the map, and it's > > still not gone. SSHv1 is far better than telnet, and there are any > > number of v1 clients still out there. Please don't make it any > > harder than it absolutely has to be. > > > > Perhaps a comment in the file, "we recommend using v2 whenever > > possible", so people stumble across it frequently even if they don't > > bother reading the docs? > > How about a nice addition to the ssh manual pages just because I do > not think they describe things well enough. For instance, when I > first started using scp(1), I fought like hell before I figured it > out. I do not feel the manual page had a clear description of how > to use scp(1). It did, however, cover the options well... I think > that it should describe how to use protocol 2, I also think it should > point you to a reference of the use options. I think the scp(1) manpages are clear enough, to be honest. I mean, the syntax is essentially just a mix between cp(1) and ssh(1), except that it treats a destination filename containing a ':' as a hostname:path combination. I can even tab-complete with scp over the network (and so could you, with the correct tcsh incantations). I would imagine that any problems you had with scp(1) were more rooted in the "getting my key working" area than with actually typing # scp foo wibble quux host.example.com:/tmp Surely ? Therefore perhaps we just need a doc on how to get keys working (and I'm not convinced we need that, but I've been using ssh for a long time). Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message