Re: can compression be safely used with SSH?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sat, 22 Nov 2014, Philippe Cerfon wrote:

> Hello.
> 
> >Even if delayed compression is only activated after authentication,
> >the the fact that delayed compression will be used has already been
> >negotiated before authentication and can't be changed retroactively.
> 
> Couldn't the server simply abort a connection in the case that it sees
> that the negotiated compression algorithm doesn't fit, once the user
> is determined?
> Bailing out with some error message, before the client could have done anything.
> 
> This is perhaps not the cleanest way, but in practise it should do
> quite well, and the same could possibly be done to allow many others
> of directives to be used inside Match, for which this is currently
> impossible.

Killing the connection if the client suggests the wrong option is
quite hostile to the user. I don't think we'd want that.

It's theoretically possible to force a rekeying after authentication
with new options, but this is slow: several client/server round-trips
plus the potentially very slow key exchange crypto. IMO it's too slow
and confusing to be worth implementing.

> One could for example restrict certain authentication methods (or
> their options) to certain users/groups.

OpenSSH has supported this for years; see the documentation for 'Match'
in sshd_config(5).

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux