Public bug reported:
Hi,
openssh can lookup a host's key in the DNS (via the SSHFP record) and
use it compare hosts presented public key.
VerifyHostKeyDNS yes
I believe that is the connection is secured via DNSSEC that this option
will allow for the host's key to be automagically accepted. However I
have not verified that myself.
However I have had this personally set to 'Yes' and for initial
connection to hosts which are NOT secured via DNSSEC I am prompted to
accept the key.
If you want to be more cautious with the change then perhaps setting
'VerifyHostKeyDNS ask' would be better.
Either way, I think that making this the default option will:
- increase security for those who choose to deploy SSHFP
- increased awareness of this ability
The only downside is that a connection will make external calls to the
DNS to determine if a SSHFP record exists.
It would be great if this change could be made before 12.04 is released.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/825825
Title:
have DNS based verification occur by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/825825/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
