Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config

To: netbsd-users <netbsd-users%netbsd.org@localhost>
Subject: Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config
From: Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>
Date: Fri, 27 Sep 2013 00:35:49 +0200

Dear list,

Following a recent change of host key on a NetBSD server, I would liketo propose the following change:


--- ssh_config.orig     2013-09-26 23:56:00.000000000 +0200
+++ ssh_config  2013-09-26 23:55:38.000000000 +0200
@@ -48,3 +48,7 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 # If you use xorg from pkgsrc then uncomment the following line.
 #   XAuthLocation /usr/pkg/bin/xauth
+
+# Some NetBSD's hosts provide SSHFP records - try checking them
+Host *.netbsd.org
+       VerifyHostKeyDNS ask

This would enable SSHFP DNS checks against hosts' keys; spz@ updatesthese regularly for hosts managed by TNF.

This will only add benefit to people that would like to connect to sshhosts without a previously validated key (the Trust On First Use remainsthe usual way of doing).They can obtain the fingerprint from a third party entity, which isstill better than nothing.

Note that without DNSSEC, the SSHFP record is just an indication - butthat is a separate issue to this option, and more resolver's matter.

For hosts that are already part of /etc/ssh/ssh_known_hosts with a validkey, nothing will change. For hosts with an incorrect key this willprint the usual MITM warning.

I cannot see any real drawback to enabling it. Opinions before I committhis?


Cheers,

--
Jean-Yves Migeon

Follow-Ups:
- Re: Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config
  - From: Greg Troxel

Prev by Date: Re: imap configuration
Next by Date: Re: imap configuration
Previous by Thread: imap configuration
Next by Thread: Re: Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config
Indexes:

Home | Main Index | Thread Index | Old Index