As promised, I've rolled up everything I know about how to use lsh so far
(assuming the user knows how to use rsh/rlogin) into an HTML document.
The rough draft is available at http://cybernut.com/lsh.html and while
I've gotten rid of almost all the red text (for those of you that have
already looked at it), I do have just a few known issues left. Feel free
to inform me of anything I might have overlooked. I'm an lsh newbie, but I
think I've got the concepts down.
I was under the impression that SECSH had made it to rfc status, but all I
can find defining it are expired drafts. Has it not made it to rfc status
yet, or is www.normos.org not up to date? I don't know which would be
worse, that we're coding to expired drafts, which aren't supposed to be
used as reference material to begin with, or that my favorite place to
search for RFC's is out of date. Hmmm. just found the SECSH-charter
homepage, and they list everything as drafts (though the last-modified
date is June 99), so it looks like that is the case.
How stable do most people find recent lsh snapshots? Do you trust lsh to
provide security? I know the documentation says not to trust it, but I
think that's a little out of date. Aside from potential exploits
(potential as in I haven't proven that they don't exist, not as in they're
there, but haven't been exploited yet), lsh seems to offer complete enough
an implementation of SECSH to be quite useful.
What is the current status of port forwarding?
What is the best way to confirm that you've captured the correct host key,
if you don't have the fingerprint generated from the host's public key?
At this time, I'm recommending that the user authorize their identity,
then reconnect, on the possibly wrong assumption that unless that identity
has been compromised, any man-in-the-middle attack would have to change
the fingerprint of the public key given to the server, causing public key
authentication to fail. Of course, this fails if someone is pretending to
be the server, rather than doing a man-in-the-middle attack.
Oh, and out of curiosity, how do people normally capitalize lsh? Do you
treat it as a normal word, with the L capitalized when at the start of a
sentance? don't ask me why it's bothering me, but I was horribly
inconsistent within my document, until the last revision, where I decided
that any time I referred to the set of programs that make up lsh, I'd
capitalize the whole think, and if I was referring to the client program
lsh, I'd put it in lower case. That seemed to work since I never started
a sentance with lsh the program.
