NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config

Le 27/09/2013 13:57, Greg Troxel a écrit :
Jean-Yves Migeon <> writes:

+# Some NetBSD's hosts provide SSHFP records - try checking them
+Host *
+       VerifyHostKeyDNS ask

Not really objecting, but:

  Why only for

Because I know admins@ add SSHFP records for the hosts managed by TNF. For other domains... well, I am not so sure about that :)

  Does upstream OpenSSH enable this by default?


 Why or why not?

Wild guess:
- that would force a DNS lookup for each host you connect to, but the amount of admins that add SSHFP records to their DNS is almost zero. We have chance there: spz does, so I limit this to TNF hosts to be meaningful. - without DNSSEC it is purely informational: DNS is insecure by design, you cannot replace a "strict" fingerprint check by a simple DNS lookup. It is weaker, but still better than nothing.

In the future we could base SSH key validation on DNS; this would be the first step. A bit like the TLSA record (spz@ pinged me about it) for server certificates. Just see this as a pro-active step, without any real drawback (at least from my PoV, that's why I am asking on -users@).


Jean-Yves Migeon

Home | Main Index | Thread Index | Old Index