NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config

Dear list,

Following a recent change of host key on a NetBSD server, I would like to propose the following change:

--- ssh_config.orig     2013-09-26 23:56:00.000000000 +0200
+++ ssh_config  2013-09-26 23:55:38.000000000 +0200
@@ -48,3 +48,7 @@
 #   ProxyCommand ssh -q -W %h:%p
 # If you use xorg from pkgsrc then uncomment the following line.
 #   XAuthLocation /usr/pkg/bin/xauth
+# Some NetBSD's hosts provide SSHFP records - try checking them
+Host *
+       VerifyHostKeyDNS ask

This would enable SSHFP DNS checks against hosts' keys; spz@ updates these regularly for hosts managed by TNF.

This will only add benefit to people that would like to connect to ssh hosts without a previously validated key (the Trust On First Use remains the usual way of doing). They can obtain the fingerprint from a third party entity, which is still better than nothing.

Note that without DNSSEC, the SSHFP record is just an indication - but that is a separate issue to this option, and more resolver's matter.

For hosts that are already part of /etc/ssh/ssh_known_hosts with a valid key, nothing will change. For hosts with an incorrect key this will print the usual MITM warning.

I cannot see any real drawback to enabling it. Opinions before I commit this?


Jean-Yves Migeon

Home | Main Index | Thread Index | Old Index