Hacker News new | ask | show | jobs
by mjochim 995 days ago
That is correct. And still, many, many devs and admins would do exactly that. Which is why in many, many cases, Tofu really isn't Tofu but "trust whatever."

When designing or evaluating security, one should not ignore that this is a part of reality.
1 comments
arp242 995 days ago
That's a bit of a different issue from the "Let’s say you’re on a fresh machine" that this article is about.

I agree that "automatic trust on first use" is "good enough" for most cases and people (especially with sshfp records), and to be honest I think the warning you get once that fails is strong enough:

  % git clone git@github.com:madmurphy/libconfini.git
  Cloning into 'libconfini'...
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that a host key has just been changed.
  The fingerprint for the ED25519 key sent by the remote host is
  SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
  Please contact your system administrator.
  Add correct host key in /home/martin/.ssh/known_hosts to get rid of this message.
  Offending ED25519 key in /home/martin/.ssh/known_hosts:118
  Host key for github.com has changed and you have requested strict checking.
  Host key verification failed.
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
It's a strong warning, with a manual fix that's more than "just press ok" (probably intentionally), and if you choose to ignore that then that's your problem.

I'm not really sure what could be done better? A centralized https-like system comes with its own downsides.

(The only complaint is that last "Please make sure you have the correct access rights and the repository exists" line, which is from git and not ssh, and a tad confusing; maybe it's possible for git to do better here?)

link
SoftTalker 994 days ago
That warning IMO is over the top and too long. All that noise with key fingerprints and filenames makes the eyes glaze over. Any user who knows what a "key fingerprint" is will be able to find and compare them if they are interested. The message should just say something like:

  WARNING: Remote host identification has changed.
  If you did not expect this, verify this change with the remote system administrator before proceeding.
Ideally the message should be able to be customized so that organizations who provision computers for their employees could include e.g. the phone number or email address for the internal help desk.
link
patrakov 993 days ago
Note that Ubuntu patches the message and recommends `ssh-keygen -R github.com`, thus making it much closer to "just press ok".

https://salsa.debian.org/ssh-team/openssh/-/blob/master/debi...

link