[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HashKnownHosts

On Sat, Jul 02, 2005 at 11:19:26AM +0200, Marco d'Itri wrote:
> What is the rationale for changing the default setting?

It's very likely to become the upstream default soon enough; they are
merely waiting on more testing. Since this is unstable, I decided it was
as good a time as any to provide some of that testing, since the feature
seemed solid enough to me.

> I find it very annoying, and from a brief discussion on #debian-devel I
> see that I'm not alone.

I'll need a much better reason than that to be persuaded to disable it
again. While I realise that it's quite a soft security measure and that
all it does is slow down attack vectors somewhat, it does manage that,
and userspace tools to manage known_hosts are now provided (and,
frankly, I'd rather people used those than that they went in and edited
known_hosts by hand anyway; the latter used to cause problems when
people accidentally inserted line breaks or whatever).

> (BTW, would you mind fixing #284874? It's six months old and should be
> trivial...)

Sorry I haven't got round to this yet. The reason I haven't done it is
that it should be added to both /usr/share/doc/openssh-client/ and
/usr/share/doc/openssh-server/, which led me to decide that the
documentation directories should be symlinked together; unfortunately,
when I tried to do this I ran into some complicated upgrade issues that
I couldn't resolve at the time, involving some of the documentation
directories going missing entirely in some cases. I'll give it another
try soon.


Colin Watson                                       [cjwatson@debian.org]

Reply to: