Date: Thu, 16 Nov 2006 14:56:27 +0100 From: Daniel Lang <dl@leo.org> To: "Wolfgang S. Rupprecht" <wolfgang+gnus200611@dailyplanet.dontspam.wsrcc.com> Cc: freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, tech@openbsd.org Subject: Re: OpenSSH Certkey (PKI) Message-ID: <20061116135627.GA26343@tortuga.leo.org> In-Reply-To: <87odr8i53w.fsf@arbol.wsrcc.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Wolfgang,
Wolfgang S. Rupprecht wrote on Wed, Nov 15, 2006 at 04:53:55PM -0800:
[..]
> > +the responsibility of verifying host keys, and users do no longer need to
> > +maintain known_hosts files of their own.
^^^^^^^^^^^
[..]
> I would hate to have my ssh allow anyone in just because we used the
> same CA. I still see the authorized_keys file as having a very
> important role even if the first layer defense is to check if the
> certificate is signed by a CA I trust.
[..]
Are you, by any chance, mixing up "known_hosts" and "authorized_keys"?
Cheers,
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061116135627.GA26343>