On Mon, Jan 17, 2011 at 4:55 PM, Michael Halcrow <[email protected]> wrote: > On Wed Jan 12 11:42:40 MST 2011, Andrew McNabb > > <[email protected]> wrote: > >> I just added an alias to my zshrc that I thought was worth sharing: > >> > >> # securiSH SHell: Make it easy to ssh without worrying about host keys. > >> alias shsh="ssh -o StrictHostKeyChecking=no -o >> UserKnownHostsFile=/dev/null" > > > > At a security conference I attended some time back, the host of a > > discussion session asked who always checks the SSH fingerprint on every > > connection. No hands went up. > > > > As it turns out, it would probably suffice to fabricate just the > > first 8 or so characters and the last 8 characters of the > > fingerprint, which is much more easily brute-forced than the > > entire hash. Only a few OCD admins with time to burn will > > meticulously validate every character of every fingerprint. > > > > At some point you just need to be able to trust the integrity of > > your internal network if you want to get any kind of work done, > > which is why I am not inclined to run screaming when Andrew > > suggests doing a thing like this. Of course, one must > > intelligently evaluate the threat model for his deployment if one > > endeavors to take on the role of the almighty Admin. > > > > (And we unfortunately can't all have the luxury of WDS and a tidy > > Windows domain).
[email protected]? Touting WDS and and Windows domain? Are you related to the guy who used to post long zealous Free Software rants on this list like, 10 years ago? Bryan -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
