Re: prompt to update a host key

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Mar 15, 2019 at 2:13 AM Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote:
>
> If the host keypair(s) are truly useless for identifying a *single*,
> short-lived target host, my suggestion would be to include "global"
> keypairs into the image (and have them still replaced once in a while).
> That would at least protect clients from a fake host set up by someone
> who doesn't have access to the image or the legit hosts. (Or from
> accidentally shredding a genuine "permanent" system that somehow
> obtained the DNS name / IP of a short-lived one.)
>
> If, however, reimaging is a standardized process that might allow the
> new host pubkey(s) to be collected and distributed in one fell swoop,
> there's the GlobalKnownHostsFile setting which is *supposed* to point to
> a file maintained by the *sysadmins* ...

These are development builds of software images that will eventually
be shipped to customers, so we'd strongly prefer not to hardcode any
host keys since that could accidentally end up getting shipped
someday.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux