[isabelle-dev] isatest ssh
Makarius
makarius at sketis.net
Mon Nov 26 11:01:51 CET 2012
On Sun, 25 Nov 2012, Gerwin Klein wrote:
> On 20/11/2012, at 11:23 PM, Makarius <makarius at sketis.net> wrote:
>
>> There is this recurrent game to have the isatest user do many manual ssh logins to update known_hosts. Getting tired of it, I just did some reading of man ssh_config and some googling. This resulted the following ~isatest/.ssh/config:
>>
>> Host *
>> #see http://linuxcommando.blogspot.fr/2008/10/how-to-disable-ssh-host-key-checking.html
>> StrictHostKeyChecking no
>> UserKnownHostsFile=/dev/null
>>
>> Maybe it helps in other situations, too. Or maybe there is an ssh
>> expert saying that this is really really bad.
>
> ssh does check these keys for a reason, it is now easy for another host
> to pretend to be one of the servers isatest wants to access. On the
> other hand, it's unclear what an attacker would gain from having isatest
> run a large isabelle session. There are easier ways to do that ;-)
Do these attacks also work from the free net outside TUM?
The reasoning (or rather hope) behind the above was that for doing real
non-sense you would have to be on the local network at TUM. So it is
basically a switch back towards the old-fashioned ways of rsh.
BTW, the local network is totally insecure if accessed from inside.
There are many ways to do non-sense, but we better don't explain that
here.
Makarius
More information about the isabelle-dev
mailing list