Date: Thu, 20 Jan 2000 09:20:35 -0800 From: "Scott Hess" <scott@avantgo.com> To: "Richard Martin" <dmartin@origenbio.com>, <sen_ml@eccosys.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: ssh Message-ID: <00a201bf636a$aa130680$1e80000a@avantgo.com> References: <20000120093017.18539.qmail@hotmail.com> <20000120193954V.1000@eccosys.com> <3887246F.310D98F8@origenbio.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Richard Martin" <dmartin@origenbio.com> wrote: > Then make it more difficult to even get a connection. Change in ssh.config > > StrictHostKeyChecking yes > > StrictHostKeyChecking requires that the sysadmin append and new keys to > whomever's keyring, meaning that strangers cannot just log in and append their > keys by default. This is a bit more work for the operator, but very much more > secure. Depends on how many people need ssh access, I guess. AFAIK, at least under 1.2.27, StrictHostKeyChecking only relates to the client side. It's easily disabled by doing something like ssh -o 'StrictHostKeyChecking no' hostname. Obviously any security that depends on the client side in this way isn't helpful. I've never really understood this, because it seems like it would really be more useful to have on the _server_ side. Worse, you can't even force it on the client side, so you can't even prevent people from wacking other servers from your host. [Well, even if you could, I suppose they could just recompile, or use -F to specify an alternate config, or just modify ~/.ssh/config.] scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00a201bf636a$aa130680$1e80000a>