X.509 support in ssh (revisited)
Ed Phillips
ed at UDel.Edu
Thu Jan 24 05:52:54 EST 2002
On Wed, 23 Jan 2002, Markus Friedl wrote:
> Date: Wed, 23 Jan 2002 19:39:54 +0100
> From: Markus Friedl <markus at openbsd.org>
> To: Ed Phillips <ed at UDel.Edu>
> Cc: mouring at etoh.eviladmin.org,
> Donald van de Weyer <donald at demag.rwth-aachen.de>,
> Thanos Siaperas <thanus at ccf.auth.gr>, openssh-unix-dev at mindrot.org,
> secureshell at securityfocus.com
> Subject: Re: X.509 support in ssh (revisited)
>
> On Wed, Jan 23, 2002 at 12:57:24PM -0500, Ed Phillips wrote:
> > Okay... maybe someone has upgrade OpenSSH on the system and generated a
> > new hostkey. How can you tell?
>
> well, there is no need to generate a new hostkey after an upgrade
> of ssh. not even after an upgrade of the system.
I know... but likely, the system disk died, or the OS was installed from
scratch because the machine was hacked, replaced, is new, etc. Plus, it's
good to change your keys from time to time to keep the hackers guessing
(esp. in a firewall-free site like ours). In our environment, we need to
be able to generate a new host key on a "whim"... but we'd also like to
have some level of confidence that we were the ones who generated it, in a
way that is more "automated" than the hand-verify of the fingerprint (how
to you protect the fingerprints anyway?). That's why I suggested to
somehow leverage LDAP+SSL in the ssh client to verify hostkeys instead of
relying on ~/.ssh/known_hosts in 30000+ user's insecure-NFS-mounted home
directories (which got shot down in flames).
Ed
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list