On 20-10-2014 19:37, Christian Weisgerber wrote: > On 2014-10-20, Craig R. Skinner <skin...@britvault.co.uk> wrote: > >> I noticed OpenBSD anon CVS SSH fingerprints have the bit length >> published with the algorithm type: >> http://www.openbsd.org/anoncvs.html > That seems useless. That's not useless. SSHFP records have the algorithm type, and the fingerprint type. In this case, if the fingerprint and the algorithm do not match the ssh client will fail the dns verification, even if the key is correct on the dns server. OP, if you will publish the fingerprints using SSHFP, pay attention to this. You can use this: https://github.com/xelerance/sshfp to generate the dns records for a given host. It can read from the host key files of can query a remote ssh server. It can generate RSA, DSA and, more recently, ECDSA records.
Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
