Damien Miller <djm at mindrot.org> writes: > On Thu, 2 Jan 2014, Gerald Turner wrote: >> Every time the cipher is re-keyed, VisualHostKey clobbers the >> terminal, usually with broken line feeds such that the ascii-art is >> unintelligible and wraps off the right side of the terminal. This is >> annoying, especially with a screen(1) full of ssh sessions that may >> be idle and re-keyed several times over a weekend, coming back and >> having to work through clearing the screens of each session (^L >> suffices for a shell or emacs, but sometimes the session is in a >> curses application, or lost information while tailing a log, etc.). >> This gets uglier when making use of the fantastic ControlPersist >> options - seemingly logged out ssh session still blast the initial >> terminal with re-keying fingerprints. > > Could you please file a bug for this on https://bugzilla.mindrot.org/ > ? We should suppress the message on rekeying. Opened https://bugzilla.mindrot.org/show_bug.cgi?id=2194 Thanks! >> It seems VerifyHostKeyDNS=yes short-circuits VisualHostKey - it's >> neither displayed on initial connection, or on re-keying (good). > > If you really want to see it, maybe we could make a > VisualHostKey=always option? Actually I'm fine with VerifyHostKeyDNS=ask (was only using 'yes' as an intermediate hack to get rid of the fingerprint spam). >> P.S. I think it's wonderful you folks are working on curve25519, >> ed25519, and chacha20+poly1305. I've moved a bunch of systems to >> ECDHE last year, great speedup, especially from crap Atom clients, >> but feel that I've shot myself in the foot after Schneier's >> denouncement of the NIST curves. > > IMO the concerns about the NIST EC curves are a bit overblown. If the > NSA had some way of breaking EC directly, then they wouldn't need to > resort to things like Dual_EC_DRBG. Nevertheless, the "Safe Curves" work by DJB and Tanja Lange is rather convincing that we should have better curves than the NIST curves: http://safecurves.cr.yp.to/ -- Gerald Turner Email: gturner at unzane.com JID: gturner at unzane.com GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140103/be85d5e8/attachment.bin>
