seeding dev/random in 5.5

[fwaggle]

Brooks Davis wrote:
> On Wed, Aug 09, 2006 at 12:17:35AM -0700, R. B. Riddick wrote:
>> --- Doug Barton <dougb at FreeBSD.org> wrote:
[snip]
>> * I received a private communication yesterday about this matter. But the list
>> did not. I will cite (not litterally) a little bit out of that message: Since
>> you do not know anything about the remotely created host-key, u cannot connect
>> safely to the freshly installed box, because: You do not even know the
>> signature of the new host-key, so that if u connect to the wrong box u would
>> not even known. Workaround: You could give all hosts the same well-known
>> host-key (via your install-image-CD) and then u could change the host-key in a
>> remotely controlled way individually and note down the signature? Maybe my
>> secret informer (lets call him Rasmus or RK) wants to come public... :-)
> 
> These are valid if probably overly paranoid points. :)
[/snip]

i have a question. perhaps i'm misunderstanding something with how SSH 
works, but how would having a "standard freebsd private key" benefit 
anyone? if you wanted to impersonate a newly installed freebsd machine, 
then all you'd need is that freely-available private key. plus you'd get 
a bunch of clueless admins who had their machines installed by a 
dedicated server provider, and who'd never change their host key, which 
would effectively ruin SSH for their purposes.

unless i've seriously missed the boat somewhere (it's happened before!) 
i think a better solution would still be random key generation with a 
nice little option to email the key signature somewhere that the new 
admin could pick it up. it's still fraught with impersonation danger for 
the paranoid, but imo it's a better idea than having a not-so-private 
key on install.

-- 
fwaggle