On 01.07.2014 13:51, Miloslav Trmač wrote:
Hello, ----- Original Message -----
> Am 01.07.2014 13:04, schrieb Stef Walter:
>> It would look something like: Fedora Release 21 (xxx) Kernel
>> 3.14.8-200.fc20.x86_64 on an x86_64 (tty1)
>>
>> Remote access:
https://192.168.11.10:4444 SHA1:
>> 80:81:46:45:0E:FF:75:AD:C5:40:7A:C2:38:74:57:46:BF:B1:DD:1C
>>
>> localhost login:
>
> from security point of view this is questionable whoever setup a
> server should not need that
People new to server administration would probably find this much
more helpful than “unauthorized access to your own computer is
prohibited“ :)
The URL is not all that useful before login when accessing the system
remotely (because the user has obviously managed without it), though
it might be helpful after ssh login to inform the user about other
options. The fingerprint is positively useless (I’d even call it
harmful) when connecting over the network with an unauthenticated
connection (though, true, sshd has no way to know whether the
connecting user knows as has verified the ssh fingerprint).
Could we show the URL and fingerprint before login only on local
consoles? (And perhaps after login on already-authenticated network
connections, because at that point damage, if any, is done.) This
should be equally useful and not add to the concerns about
fingerprinting or teaching users to trust unverified fingerprints.
Yes, I was talking mainly about displaying it on the VT, so you can see
it for a VM or headful (heh) server.
But yes, another way to see this info once logged in on a terminal is
also interesting.
I was talking about the fingerprint for the Cockpit certificate, but the
SSH fingerprint might be useful too in other cases. Too bad they'll
always be different.
I'm playing with the implementation here. Will keep you all posted.
Stef