[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#679751: please clarify package account and home directory location in policy

Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr> writes:
> On Tue, Jul 03, 2012 at 10:04:45AM -0700, Russ Allbery wrote:

>> Oh, right, for the client.  Yes, yes.

>> Well, personally I would not consider either the client's key or the
>> known_hosts file to be configuration files.

> In some common situation, the known_hosts is clearly a configuration
> file.  If ssh is restricted to connection to known hosts, then the user
> is supposed to prefill the known_hosts file with the small set of hosts
> that are allowed, then it became a configuration file.

That is is one possible way to use the file, but I think the common usage
of known_hosts is to do first-connect leap-of-faith, in which case it
doesn't behave like a configuration file.

I think it's perfectly acceptable to have an admin drop data into a
/var/lib directory for non-default configurations of packages.  I wouldn't
use a hand-maintained file as the default configuration, since usually
it's too much pain for insufficient security gain.

But that's all just my opinion, and the known_hosts file is pretty easy to
also symlink into /etc if Marc disagrees and feels like, for this package,
it should really be hand-maintained.

The private key of the client is trickier to turn into a configuration
file, but there I really don't think it behaves like a configuration file

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: