ssh authorized_keys and known_hosts

William Reade william.reade at
Wed Oct 19 06:58:08 UTC 2011

On Tue, 2011-10-18 at 11:49 -0500, Dustin Kirkland wrote:
> On Tue, Oct 18, 2011 at 11:32 AM, Gustavo Niemeyer <gustavo at> wrote:
> > William, I don't have time to explain now, but before you spend time on
> > this, doing just this is equivalent to simply turning host key verification
> > off.
> >
> > If you want details earlier, give me a call and I'll explain.
> Gustavoe,
> I understand you're on holiday, so I'm sensitive to your time here.
> If you do talk to William, I'd be very interested in understanding
> what you mean here, as I think that ssh host key management within
> Juju can be improved and can be done so in a very secure manner.

I haven't spoken to Gustavo, and I think there's plenty of other stuff
for me to do without having to disrupt his holiday ;). His comments got
me thinking, though, and I think the single biggest problem is that we
don't have any way to verify agents' identities: and so, just trusting
whatever happens to have shown up in ZK is no better than just typing
"yes" without checking anything -- and perhaps worse, because it gives
an illusion of security, while typing "yes" will at least make you feel
slightly guilty for a couple of picoseconds.

I do think this is an important story, but I also think enough people
have made enough relevant points that I should sit back and think about
it for a while before I try to implement anything (also, I just noticed
that jimbaker is touching the ssh code at the moment, so it would be
sensible to wait until that's stable anyway).

More information about the Juju mailing list