[isabelle-dev] isatest ssh

Makarius makarius at sketis.net
Mon Nov 26 11:01:51 CET 2012

On Sun, 25 Nov 2012, Gerwin Klein wrote:

> On 20/11/2012, at 11:23 PM, Makarius <makarius at sketis.net> wrote:
>> There is this recurrent game to have the isatest user do many manual ssh logins to update known_hosts.  Getting tired of it, I just did some reading of man ssh_config and some googling.  This resulted the following ~isatest/.ssh/config:
>> Host *
>>  #see http://linuxcommando.blogspot.fr/2008/10/how-to-disable-ssh-host-key-checking.html
>>  StrictHostKeyChecking no
>>  UserKnownHostsFile=/dev/null
>> Maybe it helps in other situations, too.  Or maybe there is an ssh 
>> expert saying that this is really really bad.
> ssh does check these keys for a reason, it is now easy for another host 
> to pretend to be one of the servers isatest wants to access. On the 
> other hand, it's unclear what an attacker would gain from having isatest 
> run a large isabelle session. There are easier ways to do that ;-)

Do these attacks also work from the free net outside TUM?

The reasoning (or rather hope) behind the above was that for doing real 
non-sense you would have to be on the local network at TUM.  So it is 
basically a switch back towards the old-fashioned ways of rsh.

BTW, the local network is totally insecure if accessed from inside. 
There are many ways to do non-sense, but we better don't explain that 


More information about the isabelle-dev mailing list