From: John Madden (maddenj at domain skynet.ie)
Date: Wed 26 Jun 2002 - 02:00:06 IST
On (25/06/02 17:38), Rick Moen didst pronounce:
>
> Well, I haven't yet tested using either RSA or DSA keypairs, but
> version-1.5 protocol support definitely is OK (per my tests using
> "ssh -v -1 hostname". I'll test using keypairs next, I guess.
>
It works fine using the -1 switch to ssh according to
http://www.debian.org/security/2002/dsa-134 -- problem here was that it
was set in the config to use version one for this particular machine,
but it seemed to be ignored. Whatever the problem, using protocol 2 keys
seems to have sorted it out.
> What a pain in the neck this is turning out to be, eh?
>
Agreed. I've been left second guessing implementing privsep all day
(though I haven't had any problems yet, apart from a few people asking
why compression is disabled). I saw the mail saying someone had found a
root sploit with privsep enabled, but have heard nothing else about it.
I don't know whether to believe it or not. But, it kinda leaves you with
either a root sploit without privsep or a possible one with it. I like the
idea of privsep and haven't had any problems with it so far, so I think
I'll be leaving it enabled for the time being.
By the way, just for information purposes, we're running kernel 2.2.20
on debian with openssh installed using apt-get from testing. I haven't
tried compression yet.
-- Chat ya later, John. -- BOFH excuse #84: Someone is standing on the ethernet cable, causeing a kink in the cable
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:32 GMT