Subject: sshd at anoncvs.netbsd.org broke?
To: None <current-users@netbsd.org>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: current-users
Date: 06/27/2002 11:50:47
--6sX45UoQRIJXqkqR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
First off, hope it's not got ChallengeResponseAuthentication set to
"yes" (note that you have to *force* this to no!):
grappa:dist/ssh# telnet anoncvs.netbsd.org 22
Trying 204.152.184.161...
Connected to anoncvs.netbsd.org.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.0.2 NetBSD_Secure_Shell-20011206
That aside, I'd kind of like to do a cvs update, but:
grappa:dist/ssh# cat CVS/Root
anoncvs@anoncvs.netbsd.org:/cvsroot
grappa:dist/ssh# echo $CVS_RSH
/usr/bin/ssh
grappa:dist/ssh# ssh -V
OpenSSH_3.2 NetBSD_Secure_Shell-20020422, SSH protocols 1.5/2.0, OpenSSL 0x=
0090602f
grappa:dist/ssh# cvs update -dP
ssh_exchange_identification: Connection closed by remote host
cvs [update aborted]: end of file from server (consult above messages if an=
y)
pserver works, but is obviously less desirable (especially for
things like src/crypto/dist/ssh, which is what I'm trying to update
in this example), since it's susceptible to mitm attacks.
What REALLY scares me about this is that I really doubt that
ChallengeResponseAuthentication is set to "no" on
anoncvs.netbsd.org, since it is, to all appearances, an otherwise-
default install. If that's the case, then what assurance does the
public have that these sources haven't been tampered with?
--=20
gabriel rosenkoetter
gr@eclipsed.net
--6sX45UoQRIJXqkqR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (NetBSD)
iD8DBQE9GzRX9ehacAz5CRoRAjNJAKCeUFv1UwZ7g0qhsyYXC98LLA8uxgCfWHwm
z4tVOsSUx7eae4wJavhzUTk=
=0Nwg
-----END PGP SIGNATURE-----
--6sX45UoQRIJXqkqR--