From 9dc7b32ce853fa59e0485c6a168df2bdf280b5ff Mon Sep 17 00:00:00 2001 From: shimataro Date: Wed, 10 Mar 2021 19:37:46 +0900 Subject: [PATCH] update README --- README.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 3ef7bf9..b1a9442 100644 --- a/README.md +++ b/README.md @@ -97,19 +97,6 @@ Use `if_key_exists` parameter. * `ignore`: does nothing * `fail`: fails (default) -### I want to omit `known_hosts`. - -First of all, you have to understand that it is NOT secure to SSH with no `known_hosts` and using `StrictHostKeyChecking=no` option. - -Why do you want to omit it? -If the reason is **"I'm not understanding about the function of `known_hosts`"** or **"It's bother to fetch server key"**, you should not omit. -If **"It is hard to prefetch server key because the server will be created dynamically"**, you can use bastion server. - -By the way, there are some secure methods to SSH without `known_hosts`, such as SSHFP and signed server key. -And here is a special value to omit `known_hosts`. You should use it ONLY IF you are sure that it is secure enough. -You should use it ONLY IF you are using secure methods... -It is `known_hosts: unnecessary`. - ### How do I use encrypted SSH key? This action doesn't support encrypted key directly. @@ -144,6 +131,18 @@ It has some advantages over other methods: * And will be updated continuously. * if security incident ―e.g., private key leaked― occurs, it's OK just to remove `authorized_keys` on bastion. +### I want to omit `known_hosts`. + +First of all, you have to understand that it is NOT secure to SSH with no `known_hosts` and using `StrictHostKeyChecking=no` option. + +Why do you want to omit it? +If the reason is **"I'm not understanding about the function of `known_hosts`"** or **"It's bother to fetch server key"**, you should not omit. +If **"It is hard to prefetch server key because the server will be created dynamically"**, you can use bastion server. + +By the way, there are some secure methods to SSH without `known_hosts`, such as SSHFP and signed server key. +And here is a special value to omit `known_hosts`. You should use it ONLY IF you are using secure methods... +It is `known_hosts: unnecessary`. + ## License The scripts and documentation in this project are released under the [MIT License](LICENSE)