On Wed, 2010-08-11 at 01:55 -0700, Matt McCutchen wrote: > On Tue, 2010-08-10 at 09:07 -0600, Stephen John Smoogen wrote: > > On Sun, Aug 8, 2010 at 14:04, Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> wrote: > > > On Thu, 2010-08-05 at 22:23 +0200, Till Maas wrote: > > >> Yes ssh is secure if used properly. To get the proper known_hosts entry, > > >> one has to download https://admin.fedoraproject.org/ssh_known_hosts btw. > > > > > > I'm very glad to see that Fedora provides such a list. I just installed > > > it on my computer (after filtering out hostnames not ending with > > > fedoraproject.org, for obvious reasons). > > > > > > Is it documented anywhere? For full security, every packager should > > > install it rather than allowing ssh to add host keys on first use. > > > > Well I am not sure that file would be all that useful as it contains > > lots of hosts a packager would not get to AND could conflict with > > other networks as it contains a lot of 10.X.X. and 192.X.X. ips. > > Then let's post an excerpt that would be useful to packagers. > > > It also gets updated from time to time as we rebuild hosts. > > That just speaks to the need for better tooling to maintain personal > known-hosts files, or for Fedora to operate an ssh certificate > authority. > > It appears that the ssh folks rejected X.509 out of disgust for the > public CAs, found themselves left with no solution at all to > authenticate hosts the first time, and are now reimplementing it > incompatibly. The man page claims the ssh implementation is "much > simpler" -- perhaps, but it won't integrate with X.509-based systems and > will be playing catch-up on features for a while. CRLs or OCSP, anyone? > > A thread from 2002 with some frank discussion that is still valid now: > > http://marc.info/?t=101179752100001&r=1&w=2 The PKI is unfortunately hopelessly broken deep in its concepts. See for example here: http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1360143,00.html The DNSSSEC is much more reasonable way to go. But we are getting off-topic here. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
