[Cryptography] Why aren’t we using SSH for everything?
Theodore Ts'o
tytso at mit.edu
Sun Jan 4 14:36:42 EST 2015
On Sat, Jan 03, 2015 at 10:14:38PM -0800, Tony Arcieri wrote:
> > No one forces users to blindly trust a remote host key on first
> > encountering it, that's why there are fingerprints and people should
> > validate those - if people are stupid and don't validate them, well then
> > you can't help such folks.
>
> Do you actually verify key fingerprints, and if so, how?
So I don't actually verify key _fingerprints_, but....
ssh-keygen -h -s ~/.ssh/cert_signer -I thunk.org -V +52w -n thunk,thunk.org -z 8 ~/.ssh/host-keys/thunk.pub
And in the sshd_config file:
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
Works quite nicely, since I only have to install a single
~/.ssh/known_hosts_cert file in each of my laptops/desktop/ChromeOS
clients.
- Ted
More information about the cryptography
mailing list