On Fri, 6 Aug 2010, Till Maas wrote: > On Thu, Aug 05, 2010 at 04:32:36PM -0500, Mike McGrath wrote: > > On Thu, 5 Aug 2010, Till Maas wrote: > > > > Yes ssh is secure if used properly. To get the proper known_hosts entry, > > > one has to download https://admin.fedoraproject.org/ssh_known_hosts btw. > > > > > > > We also use SSHFP records for those of you that want to enable > > VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts > > have it but many of our 'user' based external hosts do (pkgs, > > fedorapeople, fedorahosted, etc) > > Afaik the SSHFP records are not protected against tampering by an MITM > attacker. > They're better then ssh alone. They're only used for the first initation. So you'd have to be MITM'ed on the first connection in which case you're right, they wouldn't protect against that. -Mike -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel