[clue-tech] ssh, vim helper
David L. Anselmi
anselmi at anselmi.us
Sat Oct 18 22:33:23 MDT 2008
Collins Richey wrote:
> On Sat, Oct 18, 2008 at 5:39 PM, David L. Anselmi <anselmi at anselmi.us> wrote:
[...]
>> Do you use /etc/ssh/ssh_known_hosts so users don't have to identify man in
>> the middle attacks themselves?
>
> In almost all cases our users are internal, behind a firewall, not
> visible on the wild and wooly internet.
That's not the point. You have a chance to spare your users being asked
to trust a key that they won't (maybe can't) verify. It's good form to
spare them.
If you went as far as to tell them to call you whenever they see such a
message you might improve your security. But they've already been
trained to ignore security questions by SSL and personal firewalls (oh,
and pop-up blockers).
Dave
More information about the clue-tech
mailing list