ssh_host_keys
Till Maas
opensource at till.name
Wed Dec 10 22:04:25 UTC 2008
On Wed December 10 2008, Mike McGrath wrote:
> On Wed, 10 Dec 2008, Mike McGrath wrote:
> > I've not actually used global ssh_known_hosts before, I wouldn't be
> > surprised if it causes issues in some of our scripts that might have a
> > conflicting ~/.ssh/known_hosts. Lets keep our eyes open.
If there is a conflict, then the public key of the host the script connects to
will probably not match. Therefore there is a problem anyways.
> http://fedoraproject.org/wiki/Infrastructure/SOP/ssh_known_hosts
I suggest to use
echo app1,10.8.34.59 $(cat /etc/ssh/ssh_host_rsa_key.pub)
on the regarding machine instead of
ssh-keyscan -t rsa app1,10.8.34.59
on a remote machine. Otherwise there may be still a small window of
opportunity for a mitm attack.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20081210/1e4ddee3/attachment.bin
More information about the infrastructure
mailing list