--On Saturday, November 18, 2000 12:33 PM -0500 "Greg A. Woods"
<[EMAIL PROTECTED]> wrote:
> Sorry, no, that's not the only case by far. In the common way SSH is
> use the other, and far more important, case is when the initial
> connection is made. If a rogue server process could open and listen on
> the default port (say there was no sshd running, or there was some bug
> that could trigger the crash of the real one) then it could hand hout a
> bogus host key on the *initial* handshake. An unsuspecting user could
> connect to a server for the first time and be tricked into accepting a
> bogus key.
Once again - we're talking about requiring the _client_ to use a
priveledged port, not the server. Please comment appropriately.
--
Carson Gaspar - [EMAIL PROTECTED]
Queen trapped in a butch body
