IETF Logo Mail Archive

RE: SSH key algorithm updates

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 08 November 2015 03:07 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01BAE1B2C9F for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 19:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jyWTo6YT_LYc for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 7 Nov 2015 19:07:01 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A14F1B2C94 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 7 Nov 2015 19:07:01 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 70DA914A4A0; Sun, 8 Nov 2015 03:06:59 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1FEF114A421 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:06:55 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id PXY_KOANBWc1 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:06:54 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id E72B814A402 for <ietf-ssh@netbsd.org>; Sun, 8 Nov 2015 03:06:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1446952015; x=1478488015; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Q2IprKLSbofPRrJmadQ5IEP6t79A4XHGkx0FUq0oKWg=; b=S841Ei9T7erfWUGJEpdrmkFA6FyQ0VQvsQMOAXeBLJnxCndVnGdXMN4s qnk0ZuM3JI4K7wkcaxvsuVjAprjpRuy++D8ejOr7whql+wNHR9fi25qkg 1qyU/0JviUTAqTd3CLwN/2jiFcUVpX8dpaGR2W/BLu27idmWOZ5fV3SaR Y9T4EGYlg1+iBt1evnNoXbYWtuZ73LfVlS73Ru5jUUkVjHYieYe789br4 /nzZEbGiP8CJtghw39DAi2Z8CyhIMYcQdv4WG+8aPMSkdYAOHG8byf48V 6gr0ZsUHFSyeNJA+iO/ICy6p5qIyjHxt+dIF/IG8Yle3Fn72NiRXY3nyc A==;
X-IronPort-AV: E=Sophos;i="5.20,260,1444647600"; d="scan'208";a="53076898"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Nov 2015 16:06:53 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.51]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Sun, 8 Nov 2015 16:06:52 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Max Horn <postbox@quendi.de>
CC: denis bider <ietf-ssh3@denisbider.com>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>
Subject: RE: SSH key algorithm updates
Thread-Topic: SSH key algorithm updates
Thread-Index: AQHRGMPtBkokXX9VnEy0Wo+WRjNjMZ6PuN8L//+/joCAAfrgSw==
Date: Sun, 08 Nov 2015 03:06:50 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B59718@uxcn10-5.UoA.auckland.ac.nz>
References: <1955912751-3064@skroderider.denisbider.com> <4540741F-5789-49AA-B917-C822782D0881@quendi.de> <9A043F3CF02CD34C8E74AC1594475C73F4B58910@uxcn10-5.UoA.auckland.ac.nz>, <6740AD14-6E81-49A5-AC2B-5CA8CF2F9F3D@quendi.de>
In-Reply-To: <6740AD14-6E81-49A5-AC2B-5CA8CF2F9F3D@quendi.de>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Max Horn <postbox@quendi.de> writes:

>That's what I've been doing for multiple entries in my list already; but it
>has limitation, e.g. if the binaries are wrapped in an installer, which
>contains only a compressed version of the actual executable. 

There are a bunch of universal extractors that will bypass the need to
install, google "windows installer unpacker", so you don't need to install
random binaries on your system.

>It also can lead to inaccurate results, and does not reveal which methods are
>enabled/disabled by default, etc.

Yeah, that's a good point.  OTOH you then need to do test runs on the app to
try and probe what's present and what isn't.  It depends on how much time you
want to sink into it :-).

>Yes, I was (and am) having precisely the same concern. But now I am wondering
>whether I should just omit the "none" entry completely. After all, it either
>leaves an incorrect bad impression (if people read it as meaning that a
>server supports "non-as-auth" by default), and otherwise is useless, as it
>doesn't tell you whether it actually means it works as "none-as-query".

That sounds like a good idea.  You more or less have to support none-as-query
in order to be able to communicate with some clients, so in theory every
implementation would have to have support for "none".  OTOH I would imagine
few implementations allow you in without authentication, so few would suport
the other "none".

Oh, and you'll need to add columns for the SHA-2 forms of signatures soon :-).

Peter.

v2.23.0 | Report a Bug | By Email