so what about bcrypt?
http://en.wikipedia.org/wiki/Bcrypt
On Thu, Jun 21, 2012 at 7:38 PM, Aaron D. Gifford wrote:
> On Tue, Jun 19, 2012 at 12:14 PM, Simon L. B. Nielsen
> wrote:
> ..snip...
>> The FreeBSD Security Team is also looking at (/poking people to look at)
>> solutions which will im
On Mon, 25 Jun 2012 10:36:00 +
Aaron Zauner wrote:
> so what about bcrypt?
>
> http://en.wikipedia.org/wiki/Bcrypt
We already have it, read the previous thread on the subject, it's
only nine threads up.
___
freebsd-security@freebsd.org mailing li
> And as a flip side to the argument, is there a reason not to
> raise the default to 4096? Certainly the same advances in
> processors makes this size key quite usable. I've seen no
> noticeable slowness with 4096 bit RSA or 521 bit ECDSA.
Robert, A good question and it's good to check under
On Mon, Jun 25, 2012 at 02:31:04AM +0100, RW wrote:
> On Sun, 24 Jun 2012 17:23:47 -0400
> Robert Simmons wrote:
>
> > On Sun, Jun 24, 2012 at 5:18 PM, Dag-Erling Smørgrav
> > wrote:
> > > Robert Simmons writes:
> > >> In light of advanced in processors and GPUs, what is the potential
> > >> f
RW writes:
> Dag-Erling Smørgrav writes:
> > You do know that these keys are used only for authentication, and
> > not for encryption, right?
> I'm not very familiar with ssh, but surely they're also used for
> session-key exchange, which makes them crucial to encryption. They
> should be as secu
On Sun, Jun 24, 2012 at 10:10:33PM -0400, Robert Simmons wrote:
> On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb
> wrote:
> >
> > On 24. Jun 2012, at 17:14 , Robert Simmons wrote:
> >
> >> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
> >> wrote:
> >>> On 24. Jun 2012, at 16:07 , Robert Simm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi, Dag-Erling,
Here is a patch from OpenBSD which makes ssh-keyscan to fetch ECDSA
keys by default, to match the default hostkey algorithm.
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
Xin Li writes:
> Here is a patch from OpenBSD which makes ssh-keyscan to fetch ECDSA
> keys by default, to match the default hostkey algorithm.
Please commit to head with MFC after: 1 week.
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The proposed change have been committed as r237567 (for vendor branch)
and r237568 (merged to -HEAD with 1 week settle). Thanks!
Cheers,
- --
Xin LI https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-BEGIN P
Xin Li writes:
> The proposed change have been committed as r237567 (for vendor branch)
> and r237568 (merged to -HEAD with 1 week settle). Thanks!
Looks great, thanks
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing
On Mon, 25 Jun 2012 18:09:14 +0200
Dag-Erling Smørgrav wrote:
> RW writes:
> > Dag-Erling Smørgrav writes:
> > > You do know that these keys are used only for authentication, and
> > > not for encryption, right?
> > I'm not very familiar with ssh, but surely they're also used for
> > session-key
On 06/25/2012 02:38 PM, RW wrote:
> On Mon, 25 Jun 2012 18:09:14 +0200
> Dag-Erling Smørgrav wrote:
>
>> RW writes:
>>> Dag-Erling Smørgrav writes:
You do know that these keys are used only for authentication, and
not for encryption, right?
>>> I'm not very familiar with ssh, but surel
On Mon, 25 Jun 2012 14:59:05 -0700
Doug Barton wrote:
> >> Having a copy of the host key allows you to do one thing and one
> >> thing only: impersonate the server. It does not allow you to
> >> eavesdrop on an already-established connection.
> >
> > It enables you to eavesdrop on new connection
On 06/25/2012 15:53, RW wrote:
> On Mon, 25 Jun 2012 14:59:05 -0700
> Doug Barton wrote:
>
Having a copy of the host key allows you to do one thing and one
thing only: impersonate the server. It does not allow you to
eavesdrop on an already-established connection.
>>>
>>> It enable
On Mon, 25 Jun 2012 16:45:24 -0700
Doug Barton wrote:
> On 06/25/2012 15:53, RW wrote:
> > On Mon, 25 Jun 2012 14:59:05 -0700
> > Doug Barton wrote:
> >
> Having a copy of the host key allows you to do one thing and one
> thing only: impersonate the server. It does not allow you to
> >
On 06/25/2012 17:53, RW wrote:
> On Mon, 25 Jun 2012 16:45:24 -0700
> Doug Barton wrote:
>
>> On 06/25/2012 15:53, RW wrote:
>>> On Mon, 25 Jun 2012 14:59:05 -0700
>>> Doug Barton wrote:
>>>
>> Having a copy of the host key allows you to do one thing and one
>> thing only: impersonate the
On Mon, 25 Jun 2012 17:58:50 -0700
Doug Barton wrote:
> On 06/25/2012 17:53, RW wrote:
> > On Mon, 25 Jun 2012 16:45:24 -0700
> > Doug Barton wrote:
> >
> >> On 06/25/2012 15:53, RW wrote:
> >>> On Mon, 25 Jun 2012 14:59:05 -0700
> >>> Doug Barton wrote:
> >>>
> >> Having a copy of the host k
On 06/25/2012 18:46, RW wrote:
> On Mon, 25 Jun 2012 17:58:50 -0700
> Doug Barton wrote:
>
>> On 06/25/2012 17:53, RW wrote:
>>> On Mon, 25 Jun 2012 16:45:24 -0700
>>> Doug Barton wrote:
>>>
On 06/25/2012 15:53, RW wrote:
> On Mon, 25 Jun 2012 14:59:05 -0700
> Doug Barton wrote:
>
< said:
> Right. That's what Dag-Erling and I have been saying all along. If you
> have the private host key you can impersonate the server. That's not a
> MITM attack. That's impersonating the server.
If you can impersonate an ssh server, you can also do MitM, if the
client isn't using an authen
On 06/25/2012 19:13, Garrett Wollman wrote:
> < said:
>
>> Right. That's what Dag-Erling and I have been saying all along. If you
>> have the private host key you can impersonate the server. That's not a
>> MITM attack. That's impersonating the server.
>
> If you can impersonate an ssh server, yo
On Mon, 25 Jun 2012 18:55:54 -0700
Doug Barton wrote:
> >> My point is that the ssh protocol is designed specifically to
> >> prevent what you're describing.
> >
> > If you've obtained the server's private key by breaking the public
> > key you can accept connections from clients just as if you
On Mon, 25 Jun 2012 19:20:35 -0700
Doug Barton wrote:
> For the zillionth time, my point is that being able to impersonate the
> server is not going to get you anywhere for sessions *other* than the
> ones that terminate at your fake-but-has-the-private-key host.
It's actually the first time tha
On Tue, Jun 26, 2012 at 03:56:09AM +0100, RW wrote:
> On Mon, 25 Jun 2012 18:55:54 -0700
> Doug Barton wrote:
>
>
> > >> My point is that the ssh protocol is designed specifically to
> > >> prevent what you're describing.
> > >
> > > If you've obtained the server's private key by breaking the
Thanks Xin Li.
sunpoet, I don't suppose you could port this into
security/openssh-portable ? could you ?
On Mon, Jun 25, 2012 at 12:07:04PM -0700, Xin Li wrote:
> The proposed change have been committed as r237567 (for vendor branch)
> and r237568 (merged to -HEAD with 1 week settle). Thanks!
24 matches
Mail list logo
