Date: Tue, 10 Oct 2000 10:29:40 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: Kris Kennaway <kris@citusc.usc.edu>, Terry Lambert <tlambert@primenet.com>, arch@FreeBSD.org, Poul-Henning Kamp <phk@critter.freebsd.dk>, Warner Losh <imp@village.org>, Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl> Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <200010101729.e9AHTe913811@earth.backplane.com> References: <Pine.NEB.3.96L.1001010131233.28422B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:I'm referring to the host public key, which is used by the client to :authenticate the connection to the server. If the client cannot retrieve :it in a secure manner, it cannot securely authenticate that it has :connected to the right host. Right now, in absence of any defined PKI for :SSH, the commonly accepted mechanism is to compare the a priori known host :key fingerprint with the one printed by the SSH client: if they are the :same, and the hostname being bound is the same, accept the key. In the :current install, that fingerprint does not become available until after :the first boot with SSH enabled. : : Robert N M Watson : :robert@fledge.watson.org http://www.wthatatson.org/~robert/ Most people don't care, they just type 'yes' when ssh complains about seeing a new host for the first time and it gets recorded. So why should they care on a first-time install? I certainly don't care... while it is entirely proper for ssh to complain, it doesn't follow that a sysop has to listen to it. This is certainly not a show stopper. Besides, you get no assurances at all with telnet so this point isn't really relevant to the discussion. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010101729.e9AHTe913811>