On Tue, 2010-08-10 at 09:07 -0600, Stephen John Smoogen wrote: > On Sun, Aug 8, 2010 at 14:04, Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> wrote: > > On Thu, 2010-08-05 at 22:23 +0200, Till Maas wrote: > >> Yes ssh is secure if used properly. To get the proper known_hosts entry, > >> one has to download https://admin.fedoraproject.org/ssh_known_hosts btw. > > > > I'm very glad to see that Fedora provides such a list. I just installed > > it on my computer (after filtering out hostnames not ending with > > fedoraproject.org, for obvious reasons). > > > > Is it documented anywhere? For full security, every packager should > > install it rather than allowing ssh to add host keys on first use. > > Well I am not sure that file would be all that useful as it contains > lots of hosts a packager would not get to AND could conflict with > other networks as it contains a lot of 10.X.X. and 192.X.X. ips. Then let's post an excerpt that would be useful to packagers. > It also gets updated from time to time as we rebuild hosts. That just speaks to the need for better tooling to maintain personal known-hosts files, or for Fedora to operate an ssh certificate authority. It appears that the ssh folks rejected X.509 out of disgust for the public CAs, found themselves left with no solution at all to authenticate hosts the first time, and are now reimplementing it incompatibly. The man page claims the ssh implementation is "much simpler" -- perhaps, but it won't integrate with X.509-based systems and will be playing catch-up on features for a while. CRLs or OCSP, anyone? A thread from 2002 with some frank discussion that is still valid now: http://marc.info/?t=101179752100001&r=1&w=2 -- Matt -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel