On Fri, 6 Aug 2010, Mike McGrath wrote: > On Fri, 6 Aug 2010, Till Maas wrote: > > > On Thu, Aug 05, 2010 at 04:32:36PM -0500, Mike McGrath wrote: > > > On Thu, 5 Aug 2010, Till Maas wrote: > > > > > > Yes ssh is secure if used properly. To get the proper known_hosts entry, > > > > one has to download https://admin.fedoraproject.org/ssh_known_hosts btw. > > > > > > > > > > We also use SSHFP records for those of you that want to enable > > > VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts > > > have it but many of our 'user' based external hosts do (pkgs, > > > fedorapeople, fedorahosted, etc) > > > > Afaik the SSHFP records are not protected against tampering by an MITM > > attacker. > > > > They're better then ssh alone. They're only used for the first initation. > So you'd have to be MITM'ed on the first connection in which case you're > right, they wouldn't protect against that. > Side note on this: Combined with DNSSEC, this actually would protect against a MITM attacker. -Mike -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
