Re: HashKnownHosts
On Sat, Jul 02, 2005 at 11:42:40PM +0200, Marco d'Itri wrote:
> On Jul 02, Wouter Verhelst <wouter@debian.org> wrote:
> > Well, then the 'foundation of Internet security' is very weak, I'm
> > afraid. It's plain stupid to rely on someone else to get _your_ security
> > working correctly. Think about it.
>
> There is also the quite important point that even the most stupid of the
> attackers could just look at ~/.bash_profile instead and get all or most
> of the hostnames anyway, so I still do not see the benefits of enabling
> this option by default.
Firstly, ~/.bash_profile expires regularly; ~/.ssh/known_hosts never
expires. Secondly:
HISTIGNORE
A colon-separated list of patterns used to decide which
command lines should be saved on the history list. Each
pattern is anchored at the beginning of the line and
must match the complete line (no implicit ‘*’ is
appended). Each pattern is tested against the line
after the checks specified by HISTCONTROL are applied.
In addition to the normal shell pattern matching charac‐
ters, ‘&’ matches the previous history line. ‘&’ may be
escaped using a backslash; the backslash is removed
before attempting a match. The second and subsequent
lines of a multi-line compound command are not tested,
and are added to the history regardless of the value of
HISTIGNORE.
In any case, I do not see "information exposed over there" as a reason
in itself why information should be exposed over here, especially when
the exposure over there is much weaker.
--
Colin Watson [cjwatson@debian.org]
Reply to: