[Yum] Security issues in yum in general...
Robert G. Brown
rgb at phy.duke.edu
Mon Oct 6 15:07:54 UTC 2003
On Mon, 6 Oct 2003, Robert G. Brown wrote:
> The only thing that might be worth investigating for implementation in
> yum itself is a) -- I can imagine a scenario where one inserts the
> public ssh key of yum servers into a yum.conf so that yum can do a quick
> handshake right before starting to download files to be certain that the
> host it thinks it is contacting really is that host.
Not quite replying to myself, this is in reference to ssl as an
alternative. There are good things and bad things about ssl for host
authentication. The good thing is that there is a CA. The bad thing is
that there is a CA. For some sites CA-based authentication (which
generally costs money) will be right; for others a more DIY approach is
called for. SSL is not horribly trivial to set up at all, let alone
correctly.
So ssh is suggested as an alternative to ssl, not as a replacement.
openssh is trivially installable on just about any system these days,
and it is pretty easy to access and copy keys and hence arrange for a
handshake with no need for an external CA.
rgb
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb at phy.duke.edu
More information about the Yum
mailing list