"Alfred M. Szmidt" <[EMAIL PROTECTED]> writes: > > Telnet has worse security than even a buggy miserably fake ssh. > > > > Telnet has _no_ security. It doesn't have fake security, which you > > get by using crappy random bits and Open SSH. That is a huge > > difference. Open SSH was designed for security, telnet was _not_. > > What? So you are saying that telnet is better than a fake ssh? > > Yes, in the sense that it does _NOT_ give the user a sense of fake > security.
This is an excellent reason to document what we do carefully and completely. > The kind of security that I do _not_ stand up for is the kind that > gives the user a fake feeling. Which is what you want todo with > adding weirdo hacks. The best suggestion has been to compile Open SSH > with its own flags for gathering random bits on systems that do not > support /dev/random or /dev/urandom. No, not at all. I don't want to give the user a fake feeling. I want the user to be able to make a judgement "in this case, the security is not important, but telnet is a major hassle, so I choose the fake ssh". > Are you even following this discussion? I have not said a single word > of the exlusion of ssh, not even muttered it, or implied it. I am > against including a unsecure random translator!!! Geez, there are enough proposals on the table already. urandom isn't guaranteed anything anyway, really, but I agree that we should do the best we can, which might mean something nicely pseudo-random based on something like the clock or the process table. I'm not in favor of just linking it to bash. But I do *not* agree that linking it to bash is bad on the grounds that we should never ever do such a thing, but only because we can do better with little extra work.
