On Sat, 26 Feb 2000, Kris Kennaway wrote:
> On 26 Feb 2000, Bjoern Groenvall wrote:
>
> > Right, the code does not lie (if ssh is setuid root). But, if the host
> > key has not yet been created, then no host can have the public key and
> > thus rsa-rhosts authentication won't work anyways. It is not required
> > to run ssh-keygen to make ssh work, Sshd still requires the host key
> > to operate.
>
> I don't follow you - if no host key is generated, then you can't ever use
> the RSA-rhosts authentication mechanism to log into another server until
> you do. Thus part of ssh's functionality is broken until you generate that
> key, so we do it for you the first time you boot.
I was under the impression that host keys are exchanged before the
authentication type is selected, so a) the identity of the remote is
compared to known_hosts and reacted to accordingly, and b) the remainder
of the session is encrypted no matter what auth type (so, i.e., the
password is encrypted if RSA keys are not used).
I'm thinking of the old/stock sshd, not OpenSSH, but I'm not aware of that
big a change. If I'm wrong please beat me over the head with a large
metal object and carry on like nothing happened. :)
Doug White | FreeBSD: The Power to Serve
[EMAIL PROTECTED] | www.FreeBSD.org
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
