On 20/11/2012, at 11:23 PM, Makarius <[email protected]> wrote: > There is this recurrent game to have the isatest user do many manual ssh > logins to update known_hosts. Getting tired of it, I just did some reading > of man ssh_config and some googling. This resulted the following > ~isatest/.ssh/config: > > Host * > #see > http://linuxcommando.blogspot.fr/2008/10/how-to-disable-ssh-host-key-checking.html > StrictHostKeyChecking no > UserKnownHostsFile=/dev/null > > Maybe it helps in other situations, too. Or maybe there is an ssh expert > saying that this is really really bad.
ssh does check these keys for a reason, it is now easy for another host to pretend to be one of the servers isatest wants to access. On the other hand, it's unclear what an attacker would gain from having isatest run a large isabelle session. There are easier ways to do that ;-) A more direct effect is that I'm now getting a lot of emails from cron on the isatest account about hosts not being known. We could pipe that output to /dev/null as well, but we risk less diagnostic feedback when things do go wrong. Cheers, Gerwin ________________________________ The information in this e-mail may be confidential and subject to legal professional privilege and/or copyright. National ICT Australia Limited accepts no liability for any damage caused by this email or its attachments. _______________________________________________ isabelle-dev mailing list [email protected] https://mailmanbroy.informatik.tu-muenchen.de/mailman/listinfo/isabelle-dev
