eliott schrieb:
Just because you can't see it doesn't mean it doesn't exist. unhashed known_hosts *is* more unsecure. If someone gets access to your account, they would get a) your key b) a list of hosts that the key is valid for hey! great! Compund this with the fact that many people use keys without a passphrase (a bad practice), someone can 'harvest' known_host data, and worm out to other hosts.. here is the kicker ... in a way that is easily automated.
The point is, without any notice, we provided a different configuration file than the upstream configuration file. That's not how we do it, we always provide the upstream configuration file.
If someone thinks that having unhased known_hosts is a security problem, then he/she can change this configuration option on his/her system, that is how Arch works. But now that hashed known_hosts silently became the default, I cannot revert back.
Attachment:
signature.asc
Description: OpenPGP digital signature
