Re: [BackupPC-users] Thank you BackupPC!!!

Hi,

[for the archives]

Tyler J. Wagner wrote on 2012-12-11 11:08:17 +0000 [Re: [BackupPC-users] Thank 
you BackupPC!!!]:
> [...]
> Consider:
> 
> root@venkman:~# cat /var/lib/backuppc/.ssh/config
> Protocol 2
> HashKnownHosts no
> StrictHostKeyChecking no

actually, don't. StrictHostKeyChecking is on by default for a good reason.
Without it, you're vulnerable to MITM attacks, like the message says, or in
the case of BackupPC even to substitution of your backup target. You
think it's ssh, but it isn't, unless you are certain that you are connecting
to the correct target. I've used 'StrictHostKeyChecking no'
myself, but only ever for a specific host (or config file entry) when I
know *in advance* that the key will be changing legitimately. The message
and the fact that ssh won't connect are a nuisance, and that's not
because the authors of the software like annoying people, it's because
it's crucial. The message doesn't mean "hey, you should remember to update
your settings", it means "this connection is insecure (or at least can be)".
Once you get into the habit of taking security lightly, you won't treat it
seriously when you need to.

As for HashKnownHosts, what is the point of switching it off? Try
'ssh-keygen -R host' and 'ssh-keygen -R ip'. Then again, for the backuppc
user it's probably evident anyway to which hosts connections are
established, so there may not be much point in hashing known_hosts.

Regards,
Holger

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/