* Colin Watson
| On Sat, Jul 02, 2005 at 08:17:57PM +0200, Marco d'Itri wrote:
| > On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
| > > On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
| > > > What is the rationale for changing the default setting?
| > > > I find it very annoying, and
* Wouter Verhelst:
>> > -- and relying on other people's security to increase your own isn't
>> > pretty clever, actually.
>>
>> Currently, it's the foundation of Internet security, I'm afraid.
>
> Well, then the 'foundation of Internet security' is very weak, I'm
> afraid.
It is.
> It's plain
Wouter Verhelst wrote:
> and
> relying on other people's security to increase your own isn't pretty
> clever, actually.
Well, it increases your own security to: It makes it harder to use your
machine, were it to be compromised, as an attacker. This increases your
security in two ways:
1. General
[Martijn van Oosterhout]
> To be honest, I think it would be far more useful to timestamp each
> entry so you can simply expire old ones.
Last access time, it'd have to be, not create time. Meaning, every
time ssh runs, it rewrites .ssh_known_hosts (and not just appends to
it). Which implies lo
On Jul 2, 2005, at 19:40, Olaf van der Spek wrote:
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
What is the rationale for changing the default setting?
I find it very annoying, and from a brief discussion on #debian-
devel I
see that I'm not alone.
What causes this annoyance?
It
On Sun, 2005-07-03 at 18:36 +0200, Martijn van Oosterhout wrote:
> One case I can think of is where you regularly ssh into a machine with
> a dynamic IP address. Maybe with or without a dyndns name. Depending
> on the size of the ISP and how often the address changes the
> known_hosts files could
* Colin Watson:
> That's true. You can add them by hand without hashing the host name (and
> use 'ssh-keygen -H' afterwards if you like); known_hosts may contain a
> mix of hashed and unhashed host names.
>
> Is this a feature you would use often?
It might be practical for those of us who copy SS
On Sun, Jul 03, 2005 at 08:25:51PM +0100, Jochen Voss wrote:
> On Sun, Jul 03, 2005 at 12:20:47AM +0100, Colin Watson wrote:
> > On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> > > There is also the quite important point that even the most stupid of the
> > > attackers could just lo
Hello,
On Sun, Jul 03, 2005 at 12:20:47AM +0100, Colin Watson wrote:
> On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> > There is also the quite important point that even the most stupid of the
> > attackers could just look at ~/.bash_profile instead and get all or most
> > of the
Martijn van Oosterhout wrote:
> One case I can think of is where you regularly ssh into a machine with
> a dynamic IP address. Maybe with or without a dyndns name. Depending
> on the size of the ISP and how often the address changes the
> known_hosts files could increase without bound.
I don't bel
s) for this is not clear to me.
> >
> > Well, how do you audit the files and purge stale entries.
>
> That comes under "fastidiousness" as far as I'm concerned: the only
> benefits I see from bothering to do that are (a) negligible performance
> differences and
On Sun, Jul 03, 2005 at 11:08:38AM +0200, Florian Weimer wrote:
> * Colin Watson:
> > On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
> >> There should be tools supporting this, I agree.
> >
> > There is such a tool, which I mentioned in the changelog:
> >
> > - ssh and ssh-keys
On Sun, Jul 03, 2005 at 05:16:08PM +0200, Kurt Roeckx wrote:
> On Sun, Jul 03, 2005 at 03:52:07PM +0100, Colin Watson wrote:
> > The only time I've ever removed entries from
> > known_hosts is when I know that a specific host's key has changed, and
> > 'ssh-keygen -R' deals with that just fine.
>
On Sun, Jul 03, 2005 at 03:52:07PM +0100, Colin Watson wrote:
> The only time I've ever removed entries from
> known_hosts is when I know that a specific host's key has changed, and
> 'ssh-keygen -R' deals with that just fine.
That options seems to be undocumented. It's not in the man page
or the
he files and purge stale entries.
That comes under "fastidiousness" as far as I'm concerned: the only
benefits I see from bothering to do that are (a) negligible performance
differences and (b) hiding of old information, which HashKnownHosts
gives you anyway. I don't see how it&#
In article <[EMAIL PROTECTED]> you wrote:
> That's true, and unavoidable in this scheme; but the use case (beyond
> fastidiousness) for this is not clear to me.
Well, how do you audit the files and purge stale entries.
Gruss
Bernd
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
On Sun, Jul 03, 2005 at 12:17:13AM +0100, Colin Watson wrote:
> On Sat, Jul 02, 2005 at 11:19:26AM +0200, Marco d'Itri wrote:
> > (BTW, would you mind fixing #284874? It's six months old and should be
> > trivial...)
>
> Sorry I haven't got round to this yet. The reason I haven't done it is
> that
On Sun, Jul 03, 2005 at 02:16:08AM +0200, Marco d'Itri wrote:
> On Jul 03, Colin Watson <[EMAIL PROTECTED]> wrote:
> > Then I'm afraid you simply haven't read the documentation ...
>
> I did. But I cannot remove entries if I do not know the hostname.
That's true, and unavoidable in this scheme; b
* Colin Watson:
> On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
>> * Wouter Verhelst:
>> > Some of us actually do care what is listed in that file, and edit it
>> > from time to time. Hashing those names makes that much harder
>>
>> There should be tools supporting this, I agree
On Jul 03, Colin Watson <[EMAIL PROTECTED]> wrote:
> > The need to edit the file to add/update/remove IP addresses, hostnames
> > and whole keys.
> Then I'm afraid you simply haven't read the documentation ...
I did. But I cannot remove entries if I do not know the hostname.
--
ciao,
Marco
sig
On Sat, Jul 02, 2005 at 08:17:57PM +0200, Marco d'Itri wrote:
> On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
> > On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> > > What is the rationale for changing the default setting?
> > > I find it very annoying, and from a brief discussion on
On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> On Jul 02, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> > Well, then the 'foundation of Internet security' is very weak, I'm
> > afraid. It's plain stupid to rely on someone else to get _your_ security
> > working correctly. Think abou
On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> On Jul 02, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> > Well, then the 'foundation of Internet security' is very weak, I'm
> > afraid. It's plain stupid to rely on someone else to get _your_ security
> > working correctly. Think abou
On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
> * Wouter Verhelst:
> > Some of us actually do care what is listed in that file, and edit it
> > from time to time. Hashing those names makes that much harder
>
> There should be tools supporting this, I agree.
There is such a tool,
On Sat, Jul 02, 2005 at 11:19:26AM +0200, Marco d'Itri wrote:
> What is the rationale for changing the default setting?
It's very likely to become the upstream default soon enough; they are
merely waiting on more testing. Since this is unstable, I decided it was
as good a time as any to provide so
On Jul 02, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> Well, then the 'foundation of Internet security' is very weak, I'm
> afraid. It's plain stupid to rely on someone else to get _your_ security
> working correctly. Think about it.
There is also the quite important point that even the most stup
On 7/2/05, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> > > -- and relying on other people's security to increase your own isn't
> > > pretty clever, actually.
> >
> > Currently, it's the foundation of Internet security, I'm afraid.
>
> Well, then the 'foundation of Internet security' is very weak
On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
> * Wouter Verhelst:
>
> > Some of us actually do care what is listed in that file, and edit it
> > from time to time. Hashing those names makes that much harder
>
> There should be tools supporting this, I agree.
There are tools su
* Wouter Verhelst:
> Some of us actually do care what is listed in that file, and edit it
> from time to time. Hashing those names makes that much harder
There should be tools supporting this, I agree.
> -- and relying on other people's security to increase your own isn't
> pretty clever, actual
* Marco d'Itri:
> On Jul 02, Florian Weimer <[EMAIL PROTECTED]> wrote:
>
>> > What is the rationale for changing the default setting?
>> Reducing wormability. I think it's a pretty clever change.
> This is not what I asked, I know what this option is for.
Given it's purpose, this option doesn't
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
>
> > On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> > > What is the rationale for changing the default setting?
> > > I find it very annoying, and from a brief discussion on #debian-
On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
> On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> > What is the rationale for changing the default setting?
> > I find it very annoying, and from a brief discussion on #debian-devel I
> > see that I'm not alone.
> What causes this annoya
On Sat, Jul 02, 2005 at 03:05:47PM +0200, Florian Weimer wrote:
> * Marco d'Itri:
>
> > What is the rationale for changing the default setting?
>
> Reducing wormability. I think it's a pretty clever change.
Some of us actually do care what is listed in that file, and edit it
from time to time.
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> What is the rationale for changing the default setting?
> I find it very annoying, and from a brief discussion on #debian-devel I
> see that I'm not alone.
What causes this annoyance?
On Jul 02, Florian Weimer <[EMAIL PROTECTED]> wrote:
> > What is the rationale for changing the default setting?
> Reducing wormability. I think it's a pretty clever change.
This is not what I asked, I know what this option is for.
--
ciao,
Marco
signature.asc
Description: Digital signature
* Marco d'Itri:
> What is the rationale for changing the default setting?
Reducing wormability. I think it's a pretty clever change.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> What is the rationale for changing the default setting?
> I find it very annoying, and from a brief discussion on #debian-devel I
> see that I'm not alone.
I guess it went from off to on?
Wasn't there an issue with worms using the known hosts fi
What is the rationale for changing the default setting?
I find it very annoying, and from a brief discussion on #debian-devel I
see that I'm not alone.
(BTW, would you mind fixing #284874? It's six months old and should be
trivial...)
--
ciao,
Marco
--
To UNSUBSCRIBE, email to [EMAIL PROTECT
38 matches
Mail list logo
