help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key exchange doc

From: Mark . Burgess
Subject: Re: key exchange doc
Date: Mon, 23 Sep 2002 22:46:34 +0200 (MET DST) 
> 
>> All authentication is based on blind trust from an initial encounter.
>> Until you have been introduced to someone new, there is no way
>> in the universe to determine their ID except to trust their word.
> 
> True.  You have to trust the remote host if you want to run
> non-interactively.
> 
> The problem I see is that to do this non-interactively, you have
> to trust the remote host.  That might be sufficient, but after the
> key is loaded, that "trust" remains there.  What happens if the
> remote host "changes" the key? That could mean there is a
> "man-in-the-middle" attack, with another host pretending to
> be the trusted host.  SSH either asks if you want to accept
> the key, or it refuses to run at all (depending on the level
> of paranoia in the configuration).
> 
> To load a key securely, you are almost required to use a manual
> process - but if you want to set up a host automatically, this
> is unacceptable.
> 
> Perhaps trust could be allowed only if the relevant cfengine
> setup is missing?  That is, update.conf would be the only
> file present, and cfagent.conf is missing, perhaps.
> 
> After cfagent is present, then the host is never trusted again.


But this is exactly the point. What public keys do for you
is to allow you to base the rest of your life on one moment
of trust -- when the keys are exchanged. Perhaps you are
stumbling over the name "trust". It doesn't mean that
you are ignoring the keys thereafter like .rhosts (what would be the
point of having the keys?) it just means that if the
server/client is offered a key that it has never seen before
it must make a decision about whether to trust it or not.
(Once and only once). Thereafter, the keys are never changed
or removed and identity is based on the keys -- without 
requiring trust.

Man in the middle attacks are detectable by the challenge reponse
after keys are exchanged, but not before.

Maybe my documentation is poorly written. Please rewrite it
and send me your verison. Perhaps you would prefer it if
"trust=" was called "acceptnewkey=" .. I wanted this to be
"in your face", because I think SSH pushes trust under the
rug. Most folks have no idea what SSH does. THey trust it
because it is called "secure shell" !!!!

Mark


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reply via email to
[Prev in Thread] Current Thread [Next in Thread]