The reasoning is the same for SSH2 as for SSH1. Generating keys is slow,
and you have to decrease your key size to compensate. And that makes it
potentially faster for someone to crack the key.
To paraphrase the man page about the -i flag: "Don't Do That"
--
Gregor Mosheh
[EMAIL PROTECTED]
Systems Admin, Humboldt Internet
707.825.4638
On Tue, 20 Jun 2000, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, Rick Moen writes:
> >begin Armand Welsh quotation:
> >
> >> I don't know the specifics on why it's started this way, but I do know that
> >> my ssh daemon reads the hosts.allow, and hosts.deny files, and bases it's
> >> security off of these. So that may be the reason.
> >
> >Nope. That goal can be accomplished by compiling sshd with libwrap, and
> >not running it under inetd.
> >
> >I can't think of any situation where it's beneficial to run sshd under
> >inetd, except for extreme RAM shortages (which suggest an obvious and
> >different cure). I'd say somebody made an error.
>
> I haven't check ssh2, but for ssh1 the reason was to save the expense
> of large prime generation at start-up. This is clearly documented in
> the man page. What, if anything, does the sshd2 man page say about the
> -i flag (or equivalent)?
>
>
> --Steve Bellovin
>
>
>
