On Mon, Dec 25, 2000 at 06:34:09PM -0800, Mike Smith wrote:
> No, in several particulars. "The FreeBSD Project" doesn't change the SSH
> keys on the FreeBSD.org machines.
Not changed for change sake, but failure to do anything to preserve them.
> David has probably been drinking too much; it's Christmas, after all.
This was totally uncalled for in a public list. Especially from one that
has been critical of me lately. I hate to tell you, but I've been on the
BSDi clock all day long.
> There were a couple of incidents some time back when freefall's SSH
> keys were accidentally overwritten due to failure to follow procedure
> by individual administrators.
You say I'm wrong, and then you admit the keys have changed. How much
did you drink today? The only reason the last Freefall hardware upgrade
keep the ssh host keys the same was because _I_personally_ made sure the
person doing the upgrade copied the keys over before going live (they
*were* different).
It has happened on Freefall, as you mention, along with Hub, and Bento
that I remember. I'll leave it up to the long-time committers to recall
themselves the number of times they've gotten the "host key as changed"
warning in the past.
The *ONLY* time the key has changed on these machines that anybody
announced it was Tue, 16 May 2000 when Peter Wemm regenerated Freefall's
key because it had an off-by-one error that OpenSSH complained about. And
even then, Peter sent it out in email w/o public key signing the email.
Has anyone backed up the freebsd.org ssh host keys so that if a disk died
(or two in the RAID5 machines), the keys could be restored?
If we wanted to do this right, the FreeBSD Security Officer would collect
the ssh host keys on all the freebsd.org machines (the ones at the COLO
rack) on his home machine encrypted with the SO's PGP key. He would also
take all the public host keys, put them in a webpage (which of course
would be in the CVS repo) which is then signed by the SO's PGP key and
put it up in the FreeBSD Internal section.
--
-- David ([EMAIL PROTECTED])
GNU is Not Unix / Linux Is Not UniX
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
