Fedora's ssh known hosts file
Matt McCutchen
matt at mattmccutchen.net
Wed Aug 11 08:55:53 UTC 2010
On Tue, 2010-08-10 at 09:07 -0600, Stephen John Smoogen wrote:
> On Sun, Aug 8, 2010 at 14:04, Matt McCutchen <matt at mattmccutchen.net> wrote:
> > On Thu, 2010-08-05 at 22:23 +0200, Till Maas wrote:
> >> Yes ssh is secure if used properly. To get the proper known_hosts entry,
> >> one has to download https://admin.fedoraproject.org/ssh_known_hosts btw.
> >
> > I'm very glad to see that Fedora provides such a list. I just installed
> > it on my computer (after filtering out hostnames not ending with
> > fedoraproject.org, for obvious reasons).
> >
> > Is it documented anywhere? For full security, every packager should
> > install it rather than allowing ssh to add host keys on first use.
>
> Well I am not sure that file would be all that useful as it contains
> lots of hosts a packager would not get to AND could conflict with
> other networks as it contains a lot of 10.X.X. and 192.X.X. ips.
Then let's post an excerpt that would be useful to packagers.
> It also gets updated from time to time as we rebuild hosts.
That just speaks to the need for better tooling to maintain personal
known-hosts files, or for Fedora to operate an ssh certificate
authority.
It appears that the ssh folks rejected X.509 out of disgust for the
public CAs, found themselves left with no solution at all to
authenticate hosts the first time, and are now reimplementing it
incompatibly. The man page claims the ssh implementation is "much
simpler" -- perhaps, but it won't integrate with X.509-based systems and
will be playing catch-up on features for a while. CRLs or OCSP, anyone?
A thread from 2002 with some frank discussion that is still valid now:
http://marc.info/?t=101179752100001&r=1&w=2
--
Matt
More information about the devel
mailing list