FS#45322 - [AUR 4] Host authenticity key fingerprints are not posted in an easily visible, secure location.
Attached to Project:
AUR web interface
Opened by Wyatt J. Brown (sushidude) - Saturday, 13 June 2015, 22:00 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 14 June 2015, 16:04 GMT
Opened by Wyatt J. Brown (sushidude) - Saturday, 13 June 2015, 22:00 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 14 June 2015, 16:04 GMT
|
Details
Description:
When initially connecting to the AUR 4 Git, SSH will present the user with this message: The authenticity of host 'aur4.archlinux.org (2a01:4f8:160:3033::2)' can't be established. ECDSA key fingerprint is SHA256:L71Q91yHwmHPYYkJMDgj0xmUuw16qFOhJbBr1mzsiOI. Are you sure you want to continue connecting (yes/no)? The host authenticity key fingerprints are not posted in an easily visible and secure location; this makes the AUR 4 vulnerable to a man-in-the-middle attack because users cannot verify the authenticity of the fingerprint. The host authenticity key fingerprints should be posted on the front page of the AUR 4 and a message should be added and sent out warning users to verify that the fingerprint on the front page is the same as the one accepted. Additional info: * package version(s) v4.0.0-rc4 |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Sunday, 14 June 2015, 16:04 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 4.0.0-rc5.
Sunday, 14 June 2015, 16:04 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 4.0.0-rc5.
Comment by
Johannes Löthberg (demize) -
Saturday, 13 June 2015, 22:34 GMT
I was thinking, it could be cool if there was an AUR setting for
the fingerprint, and if specified any fingerprints would be
displayed on the frontpage.