[Bug 524226] Re: ssh-import-id: retrieve a key from a public keyserver and add to the authorized_keys file

Dustin Kirkland dustin.kirkland at gmail.com
Fri Feb 19 17:37:17 GMT 2010


Marc-

I think that's true if you're receiving an arbitrary key from an
untrusted source (such as the first time you log into a remote server).

However, in this case, I think:
 a) You're communicating over SSL with a server and a valid certificate (hence, the server is authenticated and attested)
 b) The user who's keys you are retrieving had to authenticate themselves with Launchpad in order to upload their key, all of which was conducted over SSL.

In this case, I think the chain of trust comes down to:
 a) Are you sure you're talking to Launchpad.net?
 b) Are you sure that the user who's key you're retrieving authenticated with Launchpad when uploading these keys?

I believe these are assumptions you and I safely make every day, in the
course of our daily work through firefox, dput, apt-get, and various
other utilities.

:-Dustin

** Attachment removed: "ssh-import-id"
   http://launchpadlibrarian.net/39387619/ssh-authorize

-- 
ssh-import-id: retrieve a key from a public keyserver and add to the authorized_keys file
https://bugs.launchpad.net/bugs/524226
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.



More information about the Ubuntu-server-bugs mailing list