Tom Lane wrote: > Magnus Hagander <mag...@hagander.net> writes: >> Tom Lane wrote: >>> In the first place, I have never seen such a prompt, despite the fact >>> that I use ssh constantly to connect to machines that I know do not have >>> properly signed certificates. > >> *really*? Here's what I get as an example (after removing the trust): > >> h...@mha-laptop:~/.ssh$ ssh cvs.postgresql.org >> The authenticity of host 'cvs.postgresql.org (217.196.146.206)' can't be >> established. >> DSA key fingerprint is 54:27:10:f3:48:0a:f0:b6:c3:14:79:7e:49:c0:75:f3. >> Are you sure you want to continue connecting (yes/no)? ^C > > This simply tells you that the machine has a new key since last time you > talked to it. It doesn't have anything to do with whether the machine's > cert has been signed by anybody. It also doesn't prevent you from > operating without a root.crt file of your own.
SSH doesn't have certificates. The trusted key is as close as you get. You can compare it to ssl with *only* self-signed-certificate. Where it prompts you to authenticate the fingerprint of said self-signed-certificate. They do it through a prompt. We do it through a file. But as long as you in pg only deal with self-signed certs, the outcome is pretty much the same. //Magnus -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
