On Tuesday 21 October 2008 15:47:35 Tom Lane wrote:
> Gregory Stark <stark@enterprisedb.com> writes:
> > Sort of. SSH requires you to install the certificate of the server
> > locally before connecting. If you don't it pops up a big warning and asks
> > if you want to install it. On subsequent connections it looks up the key
> > for the name of the host you're trying to connect to and insists it
> > match. If it doesn't it pops up a *huge* error and refuses to connect.
>
> Um, IIRC what it's checking there is the server's key signature, which
> has nada to do with certificates.
It checks the fingerprint of the server public key. And a certificate is
exactly a public key with additional information that explains whose public
key that is. So when you install the fingerprint sent by the SSH server in
your local known_hosts, then the server public key becomes a certificate.
Sort of. But it's related.