[Yum] Security issues in yum in general...

Robert G. Brown rgb at phy.duke.edu
Mon Oct 6 15:07:54 UTC 2003


On Mon, 6 Oct 2003, Robert G. Brown wrote:

> The only thing that might be worth investigating for implementation in
> yum itself is a) -- I can imagine a scenario where one inserts the
> public ssh key of yum servers into a yum.conf so that yum can do a quick
> handshake right before starting to download files to be certain that the
> host it thinks it is contacting really is that host.

Not quite replying to myself, this is in reference to ssl as an
alternative.  There are good things and bad things about ssl for host
authentication.  The good thing is that there is a CA.  The bad thing is
that there is a CA.  For some sites CA-based authentication (which
generally costs money) will be right; for others a more DIY approach is
called for.  SSL is not horribly trivial to set up at all, let alone
correctly.

So ssh is suggested as an alternative to ssl, not as a replacement.
openssh is trivially installable on just about any system these days,
and it is pretty easy to access and copy keys and hence arrange for a
handshake with no need for an external CA.

  rgb

Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu






More information about the Yum mailing list