Re: Fedora's ssh known hosts file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2010-08-10 at 09:07 -0600, Stephen John Smoogen wrote: 
> On Sun, Aug 8, 2010 at 14:04, Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> wrote:
> > On Thu, 2010-08-05 at 22:23 +0200, Till Maas wrote:
> >> Yes ssh is secure if used properly. To get the proper known_hosts entry,
> >> one has to download https://admin.fedoraproject.org/ssh_known_hosts btw.
> >
> > I'm very glad to see that Fedora provides such a list.  I just installed
> > it on my computer (after filtering out hostnames not ending with
> > fedoraproject.org, for obvious reasons).
> >
> > Is it documented anywhere?  For full security, every packager should
> > install it rather than allowing ssh to add host keys on first use.
> 
> Well I am not sure that file would be all that useful as it contains
> lots of hosts a packager would not get to AND could conflict with
> other networks as it contains a lot of 10.X.X. and 192.X.X. ips.

Then let's post an excerpt that would be useful to packagers.

> It also gets updated from time to time as we rebuild hosts.

That just speaks to the need for better tooling to maintain personal
known-hosts files, or for Fedora to operate an ssh certificate
authority.

It appears that the ssh folks rejected X.509 out of disgust for the
public CAs, found themselves left with no solution at all to
authenticate hosts the first time, and are now reimplementing it
incompatibly.  The man page claims the ssh implementation is "much
simpler" -- perhaps, but it won't integrate with X.509-based systems and
will be playing catch-up on features for a while.  CRLs or OCSP, anyone?

A thread from 2002 with some frank discussion that is still valid now:

http://marc.info/?t=101179752100001&r=1&w=2

-- 
Matt


-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux