Sylvain Beucler <[EMAIL PROTECTED]> tapota : >> - - I think it must be configurable. In others words, there should be a >> configuration option, off by default, that permits to activate these >> checks, to select which one (value like "0" or "rsa1" or >> "rsa1,rsa,dsa"). >> The comment that come along the configuration option should not lead >> people that install Savane that this is the right way to restrict >> access to their ssh server (ie: they should be made aware of >> sshd_config options like "Protocol"). > > How about simply using an on/off switch? It is not about selecting the > key type, but rather preventing people from inserting invalid key, > whatever format it is in.
It's up to the one implementing the check to decide. I assumed that you wanted to restrict to rsa2 (like it was implemented in the backend initially). But if you come up with a test that validate rsa1, dsa and whatever, a 1/0 switch would be ok. > If the switch is off by default, btw, users won't be warned when they > insert an invalid key, so maybe we could even get rid of the switch. But we do not know what kind of key X Savane installation intend to use. We cannot make valid assumption in this matter. That's site specific, so it must be configurable. Even if we think being able to list most kind of keys. The default settings should not make assumptions on how the installation is to be used. And checks that restrict usage of the installation must always be site-configurable (like the tests made on user and group name, for instance). Regards, -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+
