Comments (8)
I agree to Simone. A check and warning if the fingerprint (or so far the
server) was requested by some users here also.
Am 01.01.2015 06:29 schrieb "Simone" [email protected]:
As far as I see, KeyBox does not save and check SSH fingerprints.
This would be a really nice addition.—
Reply to this email directly or view it on GitHub.
from bastillion.
Kind of fuzzy on how this could work since this is SSL/TLS stacked on top of SSH. Users authenticate to KeyBox, then KeyBox authenticates to the servers with its SSH key. In the case of SSL/TLS, certificates are the mechanism used to validate authenticity (which it is a good idea to purchase or generate your own cert). StrictHostChecking couldn't be turned on between users and the host itself. Maybe it could work between KeyBox and the host, but there would have to be a way to resolve if the fingerprint doesn't match.
from bastillion.
I just thought about the integrity check between keybox and the configured
hosts. That is the connection that needs to be validated. so far keybox
then ensures the host connection and SSL/TLS ensures integrity of the
client session.
Am 04.01.2015 18:20 schrieb "Sean Kavanagh" [email protected]:
Kind of fuzzy on how this could work since this is SSL/TLS stacked on top
of SSH. Users authenticate to KeyBox, then KeyBox authenticates to the
servers with its SSH key. In the case of SSL/TLS, certificates are the
mechanism used to validate authenticity (which it is a good idea to
purchase or generate your own cert). StrictHostChecking couldn't be turned
on between users and the host itself. Maybe it could work between KeyBox
and the host, but there would have to be a way to resolve if the
fingerprint doesn't match.—
Reply to this email directly or view it on GitHub
#27 (comment).
from bastillion.
I just thought about the integrity check between keybox and the configured
hosts.
That is what I was referring to, as well.
It's obvious a CA signed SSL/TLS certificate is needed to guarantee legitimacy on the HTTP side.
from bastillion.
Right, but if the fingerprint doesn't match how is that resolved? and what happens in the meantime? are users locked out from accessing the host with the fingerprint mismatch?
from bastillion.
If the fingerprint doesn't match, the way to resolve it could be either inputting the new fingerprint, or deleting the current one for the host.
This could be either possible for every user, or admins only.
from bastillion.
Yeah, I was kind of thinking it should only be something an admin could do. b/c you wouldn't want just a regular user verify the host is authentic for all the other users.
from bastillion.
I agree to Simone. Only an admin should be able to accept a changed host.
There are might be users that have hosts changed quite often (eg. during
development for provisioning test and re-install) but keeping the domain
name. I suggest to make the "CheckHostFingeprint" configurable as an
option, default == true. So far, yes, users should be locked out until the
problem is solved. But it would be nice to let the users know WHY they
can't connect :-)
2015-01-07 12:26 GMT+01:00 Sean Kavanagh [email protected]:
Yeah, I was kind of thinking it should only be something an admin could
do. b/c you wouldn't want just a regular user verify the host is authentic
for all the other users.—
Reply to this email directly or view it on GitHub
#27 (comment).
from bastillion.
Related Issues (20)
- Local Install - javax.crypto.IllegalBlockSizeException HOT 1
- LDAPS useSLL=true HOT 1
- Error when starting bastillion in docker HOT 3
- armhf java 17: Can not initialize cryptographic mechanism
- Unable to display correctly special characters like graph lines in Terminals HOT 1
- Bastillion behind Apache ReverseProxy HOT 1
- Last line of terminal does not render properly HOT 1
- Administrativ users with multiple profiles
- Show key length
- There is Limitation?
- Problem resize
- Is there a way in UI when creating script to use variable such as username?
- HTTP ERROR 503 Service Unavailable HOT 2
- 3.14.1 Release HOT 5
- authorized_keys file got empty for instances behind bastillion server
- Error after upgrade to 3.15.00 HOT 3
- Stuck during installation. HOT 5
- Illegal char <:> at index 2: /C:/ HOT 1
- Session timeout issue
- Keyboard ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bastillion.