Le 27/09/2013 13:57, Greg Troxel a écrit :
Jean-Yves Migeon <[email protected]> writes:
+# Some NetBSD's hosts provide SSHFP records - try checking them
+Host *.netbsd.org
+ VerifyHostKeyDNS ask
Not really objecting, but:
Why only for netbsd.org?
Because I know admins@ add SSHFP records for the hosts managed by TNF.
For other domains... well, I am not so sure about that :)
Does upstream OpenSSH enable this by default?
Nope
Why or why not?
Wild guess:
- that would force a DNS lookup for each host you connect to, but the
amount of admins that add SSHFP records to their DNS is almost zero. We
have chance there: spz does, so I limit this to TNF hosts to be
meaningful.
- without DNSSEC it is purely informational: DNS is insecure by design,
you cannot replace a "strict" fingerprint check by a simple DNS lookup.
It is weaker, but still better than nothing.
In the future we could base SSH key validation on DNS; this would be
the first step. A bit like the TLSA record (spz@ pinged me about it) for
server certificates. Just see this as a pro-active step, without any
real drawback (at least from my PoV, that's why I am asking on -users@).
Cheers,
--
Jean-Yves Migeon
