What I was trying to say was that most people ignore the host key verification step since every single time they establish a connection to a new host they are prompted with an indecipherable key.
In the most common case everything is OK.
The really serious times these are useful is when a host key has changed without you expecting it - I figure that because people are conditioned to accept these prompts on new connections that a significant number of people will just "OK" a changed host key.
If, additionally, key fingerprints are stored in DNS then the typical case would be:
a) User connects to new host. b) DNS says everything is OK c) User is not prompted.
The only times the user would be prompted would be a) if the key changes, or b) if the DNS data is incorrect - but hopefully at this point most people would be unused to these kind of prompts and things would be simpler.
Its not a huge win if you don't control DNS - and in that case you might be at the kind of company where databases of server fingerprints are automatically distributed (with cfengine/etc) .. but it is a simple check to make..
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2007-02-20 10:06 pm (UTC)In the most common case everything is OK.
The really serious times these are useful is when a host key has changed without you expecting it - I figure that because people are conditioned to accept these prompts on new connections that a significant number of people will just "OK" a changed host key.
If, additionally, key fingerprints are stored in DNS then the typical case would be:
a) User connects to new host.
b) DNS says everything is OK
c) User is not prompted.
The only times the user would be prompted would be a) if the key changes, or b) if the DNS data is incorrect - but hopefully at this point most people would be unused to these kind of prompts and things would be simpler.
Its not a huge win if you don't control DNS - and in that case you might be at the kind of company where databases of server fingerprints are automatically distributed (with cfengine/etc) .. but it is a simple check to make..