Re: ssh_host_keys

[Till Maas]

On Wed December 10 2008, Mike McGrath wrote:
 On Wed, 10 Dec 2008, Mike McGrath wrote:

  I've not actually used global ssh_known_hosts before, I wouldn't be
  surprised if it causes issues in some of our scripts that might have a
  conflicting ~/.ssh/known_hosts.  Lets keep our eyes open.

If there is a conflict, then the public key of the host the script connects to 
will probably not match. Therefore there is a problem anyways.

 http://fedoraproject.org/wiki/Infrastructure/SOP/ssh_known_hosts

I suggest to use

echo app1,10.8.34.59 $(cat /etc/ssh/ssh_host_rsa_key.pub)

on the regarding machine instead of 

ssh-keyscan -t rsa app1,10.8.34.59

on a remote machine. Otherwise there may be still a small window of 
opportunity for a mitm attack.

Regards,
Till



signature.asc
Description: This is a digitally signed message part.
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: ssh_host_keys

[Chuck Anderson]

On Wed, Dec 10, 2008 at 11:04:25PM +0100, Till Maas wrote:
 On Wed December 10 2008, Mike McGrath wrote:
  http://fedoraproject.org/wiki/Infrastructure/SOP/ssh_known_hosts
 
 I suggest to use
 
 echo app1,10.8.34.59 $(cat /etc/ssh/ssh_host_rsa_key.pub)

You may also want to include the FQDN and any other aliases for each 
machine.  Otherwise if you try to ssh to a host using an FQDN or 
alias/CNAME, ssh will add a new entry to ~/.ssh/known_hosts with the 
new name, even if an entry for that IP address already exists in the 
global /etc/ssh/ssh_known_hosts.

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list