Re: Integrity protection of fetches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 6 Aug 2010, Till Maas wrote:

> On Thu, Aug 05, 2010 at 04:32:36PM -0500, Mike McGrath wrote:
> > On Thu, 5 Aug 2010, Till Maas wrote:
>
> > > Yes ssh is secure if used properly. To get the proper known_hosts entry,
> > > one has to download https://admin.fedoraproject.org/ssh_known_hosts btw.
> > >
> >
> > We also use SSHFP records for those of you that want to enable
> > VerifyHostKeyDNS yes in their ~/.ssh/config files.  Not all of our hosts
> > have it but many of our 'user' based external hosts do (pkgs,
> > fedorapeople, fedorahosted, etc)
>
> Afaik the SSHFP records are not protected against tampering by an MITM
> attacker.
>

They're better then ssh alone.  They're only used for the first initation.
So you'd have to be MITM'ed on the first connection in which case you're
right, they wouldn't protect against that.

	-Mike
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux