commit 75361d87958755eaaa6a1b29b30acdedc5bc4e66
parent 7bb9e362c0e0af2a15b953831df917035ab82e38
Author: Sheng <webmaster0115@gmail.com>
Date: Sat, 17 Mar 2018 18:37:12 +0800
Changed default policy to warning policy
Diffstat:
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ python main.py
python main.py --address='0.0.0.0' --port=8000
# configure missing host key policy
-python main.py --policy=warning
+python main.py --policy=reject
# configure logging level
python main.py --logging=debug
@@ -55,4 +55,4 @@ location / {
### Tips
* Try to use Nginx as a front web server (see config example above) and enable SSL, this will prevent your ssh credentials from being uncovered. Also afterwards the communication between your browser and the web server will be encrypted as they use secured websockets.
-* Try to use reject policy as the missing host key policy, this will prevent man-in-the-middle attacks. The idea is that it checks the system host keys file("~/.ssh/known_hosts") and the application host keys file("./known_hosts") in order, if the ssh server's hostname is not found, the connection will be aborted.
+* Try to use reject policy as the missing host key policy along with your verified known_hosts, this will prevent man-in-the-middle attacks. The idea is that it checks the system host keys file("~/.ssh/known_hosts") and the application host keys file("./known_hosts") in order, if the ssh server's hostname is not found or the key is not matched, the connection will be aborted.
diff --git a/main.py b/main.py
@@ -18,7 +18,7 @@ from tornado.util import errno_from_exception
define('address', default='127.0.0.1', help='listen address')
define('port', default=8888, help='listen port', type=int)
define('debug', default=False, help='debug mode', type=bool)
-define('policy', default='reject',
+define('policy', default='warning',
help='missing host key policy, reject|autoadd|warning')
define('period', default=10, help='seconds for periodic callback', type=int)
