Rainer Gerhards schrieb:
You want the syslogd to write new fingerprints into the directory? I do not think that is a good idea. First it should not be allowed to do so and have only read access to that directory (or any configuration). But more important: where is the benefit of having 10 fingerprints with content "UNKNOWN" there?These could be displayed to a user as new connection requests. Then, the user can authorize them or deny access.
"Display to the user" means "get recorded in a syslog entry".Say I find a new fingerprint in my log, and I want to add it as a trust anchor. Then i can either a) create the file/add it to a textfile/whatever; or b) use cut&paste to find the newly created file and edit it. I do not think one method is easier than the other, but the first one clearly shows the 'good' fingeprints while the second always requires a grep to be useful.
And I am still undecided wether client/server certs are worth the effort. (Not only in implementing but also in administering as a user.)What exactly do you mean - different certs for client and server use?
Different certificate lists for outgoing connections (client role) and incoming connections (server role).
-- Martin