[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network Security Manager merge time?

From: Ted Zlatanov
Subject: Re: Network Security Manager merge time?
Date: Wed, 19 Nov 2014 13:34:53 -0500
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On Wed, 19 Nov 2014 18:59:16 +0100 Lars Magne Ingebrigtsen <address@hidden> 

LMI> Ted Zlatanov <address@hidden> writes:
>> I'd rather deprecate it in favor of `nsm-security-level', especially if
>> you're OK with the ability to set the level per host or subnet, and per
>> service. The `gnutls-verify-error' checks are all 'medium I think.

LMI> I can imagine that some people would rather leave all this up to
LMI> gnutls...

As far as user-level customization, I'd rather not have multiple
variables.  The checks will be done the same way, just based on
`network-security-level' instead of specific checkboxes like now.

>> (And I'd name or alias that NSM variable to `network-security-level'
>> because "nsm" means nothing to a new user, assuming NSM will be loaded
>> by default.)

LMI> Yes.


>> (Oh, and I'd make `nsm-save-host-names' t by default, because your
>> worries about information leakage are in the 'high or above security
>> level IMO :)

LMI> Heh.  But ssh has the same paranoid defaults, I think.

I was going to say it doesn't for me on Ubuntu, but apparently in the
last N months+years the default has changed quietly. So now I have no
idea how many of my known_hosts are for virtual machines or other
disposable SSH servers. Grrrrrrreat.  Ah, here's why, from the
ssh_config man page:

     Note that the Debian openssh-client package sets several options as 
standard in /etc/ssh/ssh_config which are not the default in ssh(1):
           ·   HashKnownHosts yes
           ·   GSSAPIAuthentication yes

I'll be disabling that one...


reply via email to

[Prev in Thread] Current Thread [Next in Thread]