[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config
Following a recent change of host key on a NetBSD server, I would like
to propose the following change:
--- ssh_config.orig 2013-09-26 23:56:00.000000000 +0200
+++ ssh_config 2013-09-26 23:55:38.000000000 +0200
@@ -48,3 +48,7 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# If you use xorg from pkgsrc then uncomment the following line.
# XAuthLocation /usr/pkg/bin/xauth
+# Some NetBSD's hosts provide SSHFP records - try checking them
+ VerifyHostKeyDNS ask
This would enable SSHFP DNS checks against hosts' keys; spz@ updates
these regularly for hosts managed by TNF.
This will only add benefit to people that would like to connect to ssh
hosts without a previously validated key (the Trust On First Use remains
the usual way of doing).
They can obtain the fingerprint from a third party entity, which is
still better than nothing.
Note that without DNSSEC, the SSHFP record is just an indication - but
that is a separate issue to this option, and more resolver's matter.
For hosts that are already part of /etc/ssh/ssh_known_hosts with a valid
key, nothing will change. For hosts with an incorrect key this will
print the usual MITM warning.
I cannot see any real drawback to enabling it. Opinions before I commit
Main Index |
Thread Index |