[isabelle-dev] isatest ssh

Gerwin Klein Gerwin.Klein at nicta.com.au
Sun Nov 25 01:00:00 CET 2012


On 20/11/2012, at 11:23 PM, Makarius <makarius at sketis.net> wrote:

> There is this recurrent game to have the isatest user do many manual ssh logins to update known_hosts.  Getting tired of it, I just did some reading of man ssh_config and some googling.  This resulted the following ~isatest/.ssh/config:
>
> Host *
>  #see http://linuxcommando.blogspot.fr/2008/10/how-to-disable-ssh-host-key-checking.html
>  StrictHostKeyChecking no
>  UserKnownHostsFile=/dev/null
>
> Maybe it helps in other situations, too.  Or maybe there is an ssh expert saying that this is really really bad.

ssh does check these keys for a reason, it is now easy for another host to pretend to be one of the servers isatest wants to access. On the other hand, it's unclear what an attacker would gain from having isatest run a large isabelle session. There are easier ways to do that ;-)

A more direct effect is that I'm now getting a lot of emails from cron on the isatest account about hosts not being known.

We could pipe that output to /dev/null as well, but we risk less diagnostic feedback when things do go wrong.

Cheers,
Gerwin


________________________________

The information in this e-mail may be confidential and subject to legal professional privilege and/or copyright. National ICT Australia Limited accepts no liability for any damage caused by this email or its attachments.



More information about the isabelle-dev mailing list