On Thu 09 Mar 2000, Jacob Kuntz wrote: > isn't the problem here that the server is misrepresenting itself? a one bit > difference may not make a less secure key, but it could quite possibly be an > indication of some deception. i worry that altering the client to ignore > this type of error will only open us up to attack, be it man-in-the-middle > or otherwise.
Warning: my crypto knowledge is pretty poor. Someone somewhere in this thread said that the problem was that the old ssh could generate a key that had the MSbit off, and that was the cause of these messages. I'm now thinking: if the MSbit *MUST* be set, how does that increase the security? N bits of key is no less secure than N+1 bits where you know the value of one bit. Isn't openssh simply confused in this case? I myself notice that openssh complains about half the time when connecting to a random number of different hosts (I connect daily to a random 5-10 systems out of a collection 700 hosts (each running ssh 1.2.17), which IMHO means the sample is quite random, but then statistics lessons was a long time ago). Paul Slootman -- home: [EMAIL PROTECTED] http://www.wurtel.demon.nl/ work: [EMAIL PROTECTED] http://www.murphy.nl/ debian: [EMAIL PROTECTED] http://www.debian.org/ isdn4linux: [EMAIL PROTECTED] http://www.isdn4linux.de/
