From owner-freebsd-current@FreeBSD.ORG  Thu Nov 16 14:17:35 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 767CE16A47E
	for <freebsd-current@freebsd.org>; Thu, 16 Nov 2006 14:17:35 +0000 (UTC)
	(envelope-from dl@leo.org)
Received: from tortuga.leo.org (tortuga.leo.org [83.220.155.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BFDFB43D6A
	for <freebsd-current@freebsd.org>; Thu, 16 Nov 2006 14:17:34 +0000 (GMT)
	(envelope-from dl@leo.org)
Received: by tortuga.leo.org (Postfix, from userid 1000)
	id 80117E02E3; Thu, 16 Nov 2006 14:56:27 +0100 (CET)
Date: Thu, 16 Nov 2006 14:56:27 +0100
From: Daniel Lang <dl@leo.org>
To: "Wolfgang S. Rupprecht"
	<wolfgang+gnus200611@dailyplanet.dontspam.wsrcc.com>
Message-ID: <20061116135627.GA26343@tortuga.leo.org>
References: <20061115142820.GB14649@insomnia.benzedrine.cx>
	<87odr8i53w.fsf@arbol.wsrcc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87odr8i53w.fsf@arbol.wsrcc.com>
X-Geek: GCS/CC d-- s: a C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w---
	O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++
	D++ G++ e+++ h---(-) r+++ y+++
User-Agent: Mutt/1.5.12-2006-07-14
Cc: freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, tech@openbsd.org
Subject: Re: OpenSSH Certkey (PKI)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2006 14:17:35 -0000

Hi Wolfgang,

Wolfgang S. Rupprecht wrote on Wed, Nov 15, 2006 at 04:53:55PM -0800:
[..]
> > +the responsibility of verifying host keys, and users do no longer need to
> > +maintain known_hosts files of their own.
              ^^^^^^^^^^^
[..]
> I would hate to have my ssh allow anyone in just because we used the
> same CA.  I still see the authorized_keys file as having a very
> important role even if the first layer defense is to check if the
> certificate is signed by a CA I trust.
[..]

Are you, by any chance, mixing up "known_hosts" and "authorized_keys"?

Cheers,
 Daniel