OpenSSH Key Storage
Carson Gaspar
carson at taltos.org
Sat Feb 2 05:26:15 EST 2002
--On Friday, February 01, 2002 10:08 AM -0500 Nicolas Williams
<Nicolas.Williams at ubsw.com> wrote:
> SSH RSA/DSA keys are nameless. Whatever name the server tells the client
> it has seems to me should be suspect.
Of course it's suspect. Which is why the client must validate the host key.
Possesion of the key material _is_ identity, as far as SSH is concerned.
Anything else requires a trusted third party. A kerberos KDC is a good
trusted third party. A CA is a semi-trusted third party, in my opinion. The
global DNS is an almost completely untrusted third party. Which one do you
propose using?
--
Carson
More information about the openssh-unix-dev
mailing list