Public storage for public keys
Pekka Savola
pekkas at netcore.fi
Tue Jan 15 08:45:33 EST 2002
On Mon, 14 Jan 2002, Michael Tokarev wrote:
> Well yes, I know, there are other ways exists to distribute "global"
> (in a lan sense) /etc/ssh_known_hosts file. But I need to do this
> manually each time I'll connect to a new target host.
FWIW, we push a global known_hosts files to all the systems nightly.
Works rather nicely.
> But the question was in fact somewhat different. It wasn't about
> security and how secure various sources are, but about a *possibility*
> to use something like nss for pubkeys storage. Every installation
> or site will decide what is usable/acceptable/secure/whatether in
> their sense (after all, nfs-mounted homedir with ~/.ssh/ssh_known_hosts
> (no, I don't tell here about ~/.ssh/identify w/o password!) can't be
> "secure" either!). There ARE secure methods esists and used already
> for other means.
A "solution" for this is to keep personal known_hosts files small, and
from time to time, "harvest" them all in one place, combine them with
uniq(1) and update the global file.
Perhaps not the best approach, but at least it's almost manageable.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the openssh-unix-dev
mailing list