[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Enabling VerifyHostKeyDNS option in /etc/ssh/ssh_config
Le 27/09/2013 13:57, Greg Troxel a écrit :
Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost> writes:
+# Some NetBSD's hosts provide SSHFP records - try checking them
+ VerifyHostKeyDNS ask
Not really objecting, but:
Why only for netbsd.org?
Because I know admins@ add SSHFP records for the hosts managed by TNF.
For other domains... well, I am not so sure about that :)
Does upstream OpenSSH enable this by default?
Why or why not?
- that would force a DNS lookup for each host you connect to, but the
amount of admins that add SSHFP records to their DNS is almost zero. We
have chance there: spz does, so I limit this to TNF hosts to be
- without DNSSEC it is purely informational: DNS is insecure by design,
you cannot replace a "strict" fingerprint check by a simple DNS lookup.
It is weaker, but still better than nothing.
In the future we could base SSH key validation on DNS; this would be
the first step. A bit like the TLSA record (spz@ pinged me about it) for
server certificates. Just see this as a pro-active step, without any
real drawback (at least from my PoV, that's why I am asking on -users@).
Main Index |
Thread Index |