From owner-freebsd-arch  Tue Oct 10 10:29:43 2000
Delivered-To: freebsd-arch@freebsd.org
Received: from earth.backplane.com (placeholder-dcat-1076843290.broadbandoffice.net [64.47.83.26])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2F1F437B66C; Tue, 10 Oct 2000 10:29:41 -0700 (PDT)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.0/8.9.3) id e9AHTe913811;
	Tue, 10 Oct 2000 10:29:40 -0700 (PDT)
	(envelope-from dillon)
Date: Tue, 10 Oct 2000 10:29:40 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200010101729.e9AHTe913811@earth.backplane.com>
To: Robert Watson <rwatson@FreeBSD.org>
Cc: Kris Kennaway <kris@citusc.usc.edu>,
	Terry Lambert <tlambert@primenet.com>, arch@FreeBSD.org,
	Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Warner Losh <imp@village.org>,
	Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl>
Subject: Re: cvs commit: src/etc inetd.conf
References:  <Pine.NEB.3.96L.1001010131233.28422B-100000@fledge.watson.org>
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

:I'm referring to the host public key, which is used by the client to
:authenticate the connection to the server.  If the client cannot retrieve
:it in a secure manner, it cannot securely authenticate that it has
:connected to the right host.  Right now, in absence of any defined PKI for
:SSH, the commonly accepted mechanism is to compare the a priori known host
:key fingerprint with the one printed by the SSH client: if they are the
:same, and the hostname being bound is the same, accept the key.  In the
:current install, that fingerprint does not become available until after
:the first boot with SSH enabled.
:
:  Robert N M Watson 
:
:robert@fledge.watson.org              http://www.wthatatson.org/~robert/

    Most people don't care, they just type 'yes' when ssh complains about
    seeing a new host for the first time and it gets recorded.  So why should
    they care on a first-time install?  I certainly don't care...  while it
    is entirely proper for ssh to complain, it doesn't follow that a sysop
    has to listen to it.  

    This is certainly not a show stopper.  Besides, you get no assurances at
    all with telnet so this point isn't really relevant to the discussion.

						-Matt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message