[ On Tuesday, November 21, 2000 at 13:46:48 (-0800), Carson Gaspar wrote: ]
> Subject: Re: ssh tunnelling over ssh ?
>
> --On Saturday, November 18, 2000 12:33 PM -0500 "Greg A. Woods"
> <[EMAIL PROTECTED]> wrote:
>
> > Sorry, no, that's not the only case by far. In the common way SSH is
> > use the other, and far more important, case is when the initial
> > connection is made. If a rogue server process could open and listen on
> > the default port (say there was no sshd running, or there was some bug
> > that could trigger the crash of the real one) then it could hand hout a
> > bogus host key on the *initial* handshake. An unsuspecting user could
> > connect to a server for the first time and be tricked into accepting a
> > bogus key.
>
> Once again - we're talking about requiring the _client_ to use a
> priveledged port, not the server. Please comment appropriately.
No, I'm not talking about the client -- I'm talking explicitly about the
server needing to use a priviledged port in order that the client can
trust it *BEFORE* a valid host key association has been established.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
