From owner-freebsd-security Thu Jan 20 9:21:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from bomber.avantgo.com (ws1.avantgo.com [207.214.200.194]) by hub.freebsd.org (Postfix) with ESMTP id 09F6215196 for ; Thu, 20 Jan 2000 09:21:46 -0800 (PST) (envelope-from scott@avantgo.com) Received: from river ([10.0.128.30]) by bomber.avantgo.com (Netscape Messaging Server 3.5) with SMTP id 316; Thu, 20 Jan 2000 09:17:17 -0800 Message-ID: <00a201bf636a$aa130680$1e80000a@avantgo.com> From: "Scott Hess" To: "Richard Martin" , Cc: References: <20000120093017.18539.qmail@hotmail.com> <20000120193954V.1000@eccosys.com> <3887246F.310D98F8@origenbio.com> Subject: Re: ssh Date: Thu, 20 Jan 2000 09:20:35 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Richard Martin" wrote: > Then make it more difficult to even get a connection. Change in ssh.config > > StrictHostKeyChecking yes > > StrictHostKeyChecking requires that the sysadmin append and new keys to > whomever's keyring, meaning that strangers cannot just log in and append their > keys by default. This is a bit more work for the operator, but very much more > secure. Depends on how many people need ssh access, I guess. AFAIK, at least under 1.2.27, StrictHostKeyChecking only relates to the client side. It's easily disabled by doing something like ssh -o 'StrictHostKeyChecking no' hostname. Obviously any security that depends on the client side in this way isn't helpful. I've never really understood this, because it seems like it would really be more useful to have on the _server_ side. Worse, you can't even force it on the client side, so you can't even prevent people from wacking other servers from your host. [Well, even if you could, I suppose they could just recompile, or use -F to specify an alternate config, or just modify ~/.ssh/config.] scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message