On 6/28/06, Phillip Vandry <[EMAIL PROTECTED]> wrote: > SSH implements neither a CA hierarchy (like X.509 certificates) nor > a web of trust (like PGP) so you are left checking the validity of > host keys yourself. Still, it's not so bad if you only connect to a > small handful of well known servers. You will either have verified > them all soon enough and not be bothered with it anymore, or system > administrators will maintain a global known_hosts file that lists > all the correct ones.
The answer to your question: RFC4255 "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" http://www.ietf.org/rfc/rfc4255.txt You will only need to stuff the FP's into SSHFP DNS RR's and turn on verification for these records on the clients. Done. In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get the finger prints right. Greets, Jeroen
signature.asc
Description: OpenPGP digital signature