Remote access url and fingerprint in /etc/issue
Miloslav Trmač
mitr at redhat.com
Tue Jul 1 11:51:33 UTC 2014
Hello,
----- Original Message -----
> Am 01.07.2014 13:04, schrieb Stef Walter:
> > It would look something like:
> > Fedora Release 21 (xxx)
> > Kernel 3.14.8-200.fc20.x86_64 on an x86_64 (tty1)
> >
> > Remote access:
> > https://192.168.11.10:4444
> > SHA1: 80:81:46:45:0E:FF:75:AD:C5:40:7A:C2:38:74:57:46:BF:B1:DD:1C
> >
> > localhost login:
>
> from security point of view this is questionable
> whoever setup a server should not need that
People new to server administration would probably find this much more helpful than “unauthorized access to your own computer is prohibited“ :)
The URL is not all that useful before login when accessing the system remotely (because the user has obviously managed without it), though it might be helpful after ssh login to inform the user about other options. The fingerprint is positively useless (I’d even call it harmful) when connecting over the network with an unauthenticated connection (though, true, sshd has no way to know whether the connecting user knows as has verified the ssh fingerprint).
Could we show the URL and fingerprint before login only on local consoles? (And perhaps after login on already-authenticated network connections, because at that point damage, if any, is done.) This should be equally useful and not add to the concerns about fingerprinting or teaching users to trust unverified fingerprints.
(And if there was nothing else to do, the fingerprint could use some kind of documentation link rather than a strict “SHA1”; but it’s not obvious how to do that well. Perhaps an URL shortener link, but that would require an ongoing maintenance commitment.)
Mirek
More information about the server
mailing list