tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SoC: Improve syslogd

Rainer Gerhards schrieb:
You want the syslogd to write new fingerprints into the directory?
I do not think that is a good idea. First it should not be allowed to do so
and have only read access to that directory (or any configuration).
But more important: where is the benefit of having 10 fingerprints with
content "UNKNOWN" there?
These could be displayed to a user as new connection requests. Then,
the user can authorize them or deny access.

"Display to the user" means "get recorded in a syslog entry".

Say I find a new fingerprint in my log, and I want to add it as a trust anchor. Then i can either a) create the file/add it to a textfile/whatever; or b) use cut&paste to find the newly created file and edit it. I do not think one method is easier than the other, but the first one clearly shows the 'good' fingeprints while the second always requires a grep to be useful.

And I am still undecided wether
client/server certs are worth the effort. (Not only in implementing but also
in administering as a user.)
What exactly do you mean - different certs for client and server use?

Different certificate lists for outgoing connections (client role) and incoming connections (server role).


Home | Main Index | Thread Index | Old Index