On Wed Jan 12 11:42:40 MST 2011, Andrew McNabb <[email protected]> wrote: > I just added an alias to my zshrc that I thought was worth sharing: > > # securiSH SHell: Make it easy to ssh without worrying about host keys. > alias shsh="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
At a security conference I attended some time back, the host of a discussion session asked who always checks the SSH fingerprint on every connection. No hands went up. As it turns out, it would probably suffice to fabricate just the first 8 or so characters and the last 8 characters of the fingerprint, which is much more easily brute-forced than the entire hash. Only a few OCD admins with time to burn will meticulously validate every character of every fingerprint. At some point you just need to be able to trust the integrity of your internal network if you want to get any kind of work done, which is why I am not inclined to run screaming when Andrew suggests doing a thing like this. Of course, one must intelligently evaluate the threat model for his deployment if one endeavors to take on the role of the almighty Admin. (And we unfortunately can't all have the luxury of WDS and a tidy Windows domain).
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
