Remote access url and fingerprint in /etc/issue
stefw at redhat.com
Thu Jul 3 10:21:51 UTC 2014
On 01.07.2014 13:51, Miloslav Trmač wrote:
> Hello, ----- Original Message -----
>> Am 01.07.2014 13:04, schrieb Stef Walter:
>>> It would look something like: Fedora Release 21 (xxx) Kernel
>>> 3.14.8-200.fc20.x86_64 on an x86_64 (tty1)
>>> Remote access: https://192.168.11.10:4444 SHA1:
>>> localhost login:
>> from security point of view this is questionable whoever setup a
>> server should not need that
> People new to server administration would probably find this much
> more helpful than “unauthorized access to your own computer is
> prohibited“ :)
> The URL is not all that useful before login when accessing the system
> remotely (because the user has obviously managed without it), though
> it might be helpful after ssh login to inform the user about other
> options. The fingerprint is positively useless (I’d even call it
> harmful) when connecting over the network with an unauthenticated
> connection (though, true, sshd has no way to know whether the
> connecting user knows as has verified the ssh fingerprint).
> Could we show the URL and fingerprint before login only on local
> consoles? (And perhaps after login on already-authenticated network
> connections, because at that point damage, if any, is done.) This
> should be equally useful and not add to the concerns about
> fingerprinting or teaching users to trust unverified fingerprints.
Yes, I was talking mainly about displaying it on the VT, so you can see
it for a VM or headful (heh) server.
But yes, another way to see this info once logged in on a terminal is
I was talking about the fingerprint for the Cockpit certificate, but the
SSH fingerprint might be useful too in other cases. Too bad they'll
always be different.
I'm playing with the implementation here. Will keep you all posted.
More information about the server