Martin, > SSH: With SSH the known_hosts file is kept in the home directory of > the user and it only protected by means of the underlying OS. A better idea than to let users maintain their own is, however, that the admin(s) should maintain a central /etc/ssh_known_hosts file on every host, adding entries using whichever verifiable means when new hosts are added to the network and distributing this to all hosts. This is trivial. On the other hand, you will need to constantly make sure that users' own known_hosts files do not have entries for any hosts listed in the centrally maintained ssh_known_hosts file since they take precedence, which is slightly annoying. Or maybe the code should be changed! The code that does this is in sshconnect.c, starting on line 1370 in v1.2.30. Flipping the order is rather trivial. I'd appreciate it if somebody presented a well argued view on why the order should be "user first" before I recompile on 7 different platforms :-) -- Atro Tossavainen (Mr.) / The Institute of Biotechnology at Systems Analyst, Techno-Amish & / the University of Helsinki, Finland, +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own. < URL : http : / / www . iki . fi / atro . tossavainen / >
