* Colin Watson
| On Sat, Jul 02, 2005 at 08:17:57PM +0200, Marco d'Itri wrote:
| > On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
| > > On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
| > > > What is the rationale for changing the default setting?
| > > > I find it very annoying, and
* Wouter Verhelst:
>> > -- and relying on other people's security to increase your own isn't
>> > pretty clever, actually.
>>
>> Currently, it's the foundation of Internet security, I'm afraid.
>
> Well, then the 'foundation of Internet security' is very weak, I'm
> afraid.
It is.
> It's plain
Wouter Verhelst wrote:
> and
> relying on other people's security to increase your own isn't pretty
> clever, actually.
Well, it increases your own security to: It makes it harder to use your
machine, were it to be compromised, as an attacker. This increases your
security in two ways:
1. General
[Martijn van Oosterhout]
> To be honest, I think it would be far more useful to timestamp each
> entry so you can simply expire old ones.
Last access time, it'd have to be, not create time. Meaning, every
time ssh runs, it rewrites .ssh_known_hosts (and not just appends to
it). Which implies lo
On Jul 2, 2005, at 19:40, Olaf van der Spek wrote:
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
What is the rationale for changing the default setting?
I find it very annoying, and from a brief discussion on #debian-
devel I
see that I'm not alone.
What causes this annoyance?
It
On Sun, 2005-07-03 at 18:36 +0200, Martijn van Oosterhout wrote:
> One case I can think of is where you regularly ssh into a machine with
> a dynamic IP address. Maybe with or without a dyndns name. Depending
> on the size of the ISP and how often the address changes the
> known_hosts files could
* Colin Watson:
> That's true. You can add them by hand without hashing the host name (and
> use 'ssh-keygen -H' afterwards if you like); known_hosts may contain a
> mix of hashed and unhashed host names.
>
> Is this a feature you would use often?
It might be practical for those of us who copy SS
On Sun, Jul 03, 2005 at 08:25:51PM +0100, Jochen Voss wrote:
> On Sun, Jul 03, 2005 at 12:20:47AM +0100, Colin Watson wrote:
> > On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> > > There is also the quite important point that even the most stupid of the
> > > attackers could just lo
Hello,
On Sun, Jul 03, 2005 at 12:20:47AM +0100, Colin Watson wrote:
> On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> > There is also the quite important point that even the most stupid of the
> > attackers could just look at ~/.bash_profile instead and get all or most
> > of the
Martijn van Oosterhout wrote:
> One case I can think of is where you regularly ssh into a machine with
> a dynamic IP address. Maybe with or without a dyndns name. Depending
> on the size of the ISP and how often the address changes the
> known_hosts files could increase without bound.
I don't bel
2005/7/3, Colin Watson <[EMAIL PROTECTED]>:
> On Sun, Jul 03, 2005 at 03:28:15PM +0200, Bernd Eckenfels wrote:
> > In article <[EMAIL PROTECTED]> you wrote:
> > > That's true, and unavoidable in this scheme; but the use case (beyond
> > > fastidiousness) for this is not clear to me.
> >
> > Well, h
On Sun, Jul 03, 2005 at 11:08:38AM +0200, Florian Weimer wrote:
> * Colin Watson:
> > On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
> >> There should be tools supporting this, I agree.
> >
> > There is such a tool, which I mentioned in the changelog:
> >
> > - ssh and ssh-keys
On Sun, Jul 03, 2005 at 05:16:08PM +0200, Kurt Roeckx wrote:
> On Sun, Jul 03, 2005 at 03:52:07PM +0100, Colin Watson wrote:
> > The only time I've ever removed entries from
> > known_hosts is when I know that a specific host's key has changed, and
> > 'ssh-keygen -R' deals with that just fine.
>
On Sun, Jul 03, 2005 at 03:52:07PM +0100, Colin Watson wrote:
> The only time I've ever removed entries from
> known_hosts is when I know that a specific host's key has changed, and
> 'ssh-keygen -R' deals with that just fine.
That options seems to be undocumented. It's not in the man page
or the
On Sun, Jul 03, 2005 at 03:28:15PM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > That's true, and unavoidable in this scheme; but the use case (beyond
> > fastidiousness) for this is not clear to me.
>
> Well, how do you audit the files and purge stale entries.
Tha
In article <[EMAIL PROTECTED]> you wrote:
> That's true, and unavoidable in this scheme; but the use case (beyond
> fastidiousness) for this is not clear to me.
Well, how do you audit the files and purge stale entries.
Gruss
Bernd
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
On Sun, Jul 03, 2005 at 12:17:13AM +0100, Colin Watson wrote:
> On Sat, Jul 02, 2005 at 11:19:26AM +0200, Marco d'Itri wrote:
> > (BTW, would you mind fixing #284874? It's six months old and should be
> > trivial...)
>
> Sorry I haven't got round to this yet. The reason I haven't done it is
> that
On Sun, Jul 03, 2005 at 02:16:08AM +0200, Marco d'Itri wrote:
> On Jul 03, Colin Watson <[EMAIL PROTECTED]> wrote:
> > Then I'm afraid you simply haven't read the documentation ...
>
> I did. But I cannot remove entries if I do not know the hostname.
That's true, and unavoidable in this scheme; b
* Colin Watson:
> On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
>> * Wouter Verhelst:
>> > Some of us actually do care what is listed in that file, and edit it
>> > from time to time. Hashing those names makes that much harder
>>
>> There should be tools supporting this, I agree
On Jul 03, Colin Watson <[EMAIL PROTECTED]> wrote:
> > The need to edit the file to add/update/remove IP addresses, hostnames
> > and whole keys.
> Then I'm afraid you simply haven't read the documentation ...
I did. But I cannot remove entries if I do not know the hostname.
--
ciao,
Marco
sig
On Sat, Jul 02, 2005 at 08:17:57PM +0200, Marco d'Itri wrote:
> On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
> > On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> > > What is the rationale for changing the default setting?
> > > I find it very annoying, and from a brief discussion on
On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> On Jul 02, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> > Well, then the 'foundation of Internet security' is very weak, I'm
> > afraid. It's plain stupid to rely on someone else to get _your_ security
> > working correctly. Think abou
On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> On Jul 02, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> > Well, then the 'foundation of Internet security' is very weak, I'm
> > afraid. It's plain stupid to rely on someone else to get _your_ security
> > working correctly. Think abou
On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
> * Wouter Verhelst:
> > Some of us actually do care what is listed in that file, and edit it
> > from time to time. Hashing those names makes that much harder
>
> There should be tools supporting this, I agree.
There is such a tool,
On Sat, Jul 02, 2005 at 11:19:26AM +0200, Marco d'Itri wrote:
> What is the rationale for changing the default setting?
It's very likely to become the upstream default soon enough; they are
merely waiting on more testing. Since this is unstable, I decided it was
as good a time as any to provide so
On Jul 02, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> Well, then the 'foundation of Internet security' is very weak, I'm
> afraid. It's plain stupid to rely on someone else to get _your_ security
> working correctly. Think about it.
There is also the quite important point that even the most stup
On 7/2/05, Wouter Verhelst <[EMAIL PROTECTED]> wrote:
> > > -- and relying on other people's security to increase your own isn't
> > > pretty clever, actually.
> >
> > Currently, it's the foundation of Internet security, I'm afraid.
>
> Well, then the 'foundation of Internet security' is very weak
On Sat, Jul 02, 2005 at 09:04:18PM +0200, Florian Weimer wrote:
> * Wouter Verhelst:
>
> > Some of us actually do care what is listed in that file, and edit it
> > from time to time. Hashing those names makes that much harder
>
> There should be tools supporting this, I agree.
There are tools su
* Wouter Verhelst:
> Some of us actually do care what is listed in that file, and edit it
> from time to time. Hashing those names makes that much harder
There should be tools supporting this, I agree.
> -- and relying on other people's security to increase your own isn't
> pretty clever, actual
* Marco d'Itri:
> On Jul 02, Florian Weimer <[EMAIL PROTECTED]> wrote:
>
>> > What is the rationale for changing the default setting?
>> Reducing wormability. I think it's a pretty clever change.
> This is not what I asked, I know what this option is for.
Given it's purpose, this option doesn't
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
>
> > On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> > > What is the rationale for changing the default setting?
> > > I find it very annoying, and from a brief discussion on #debian-
On Jul 02, Olaf van der Spek <[EMAIL PROTECTED]> wrote:
> On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> > What is the rationale for changing the default setting?
> > I find it very annoying, and from a brief discussion on #debian-devel I
> > see that I'm not alone.
> What causes this annoya
On Sat, Jul 02, 2005 at 03:05:47PM +0200, Florian Weimer wrote:
> * Marco d'Itri:
>
> > What is the rationale for changing the default setting?
>
> Reducing wormability. I think it's a pretty clever change.
Some of us actually do care what is listed in that file, and edit it
from time to time.
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> What is the rationale for changing the default setting?
> I find it very annoying, and from a brief discussion on #debian-devel I
> see that I'm not alone.
What causes this annoyance?
On Jul 02, Florian Weimer <[EMAIL PROTECTED]> wrote:
> > What is the rationale for changing the default setting?
> Reducing wormability. I think it's a pretty clever change.
This is not what I asked, I know what this option is for.
--
ciao,
Marco
signature.asc
Description: Digital signature
* Marco d'Itri:
> What is the rationale for changing the default setting?
Reducing wormability. I think it's a pretty clever change.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On 7/2/05, Marco d'Itri <[EMAIL PROTECTED]> wrote:
> What is the rationale for changing the default setting?
> I find it very annoying, and from a brief discussion on #debian-devel I
> see that I'm not alone.
I guess it went from off to on?
Wasn't there an issue with worms using the known hosts fi
37 matches
Mail list logo
