[Systems] SSHFP records

Bernie Innocenti bernie at codewiz.org
Fri Sep 3 20:04:21 EDT 2010

Previous message: [Systems] Lightwave upgraded to lucid
Next message: [Systems] bender ssh key changed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I learned about a cool method to verify SSH fingerprints using DNS
resource records:

     VerifyHostKeyDNS
             Specifies whether to verify the remote key
             using DNS and SSHFP resource records.  If this
             option is set to “yes”, the client will
             implicitly trust keys that match a secure fin‐
             gerprint from DNS.  Insecure fingerprints will
             be handled as if this option was set to “ask”.
             If this option is set to “ask”, information on
             fingerprint match will be displayed, but the
             user will still need to confirm new host keys
             according to the StrictHostKeyChecking option.
             The argument must be “yes”, “no”, or “ask”.
             The default is “no”.  Note that this option
             applies to protocol version 2 only.

             See also VERIFYING HOST KEYS in ssh(1).

I've used the sshfp command line tool to generate the resource records
for our main machines in sugarlabs.org and codewiz.org.

Combined with DNSSEC, this provides a very secure path to verify ssh
fingerprints. Note that presently only the codewiz.org zone is signed
because I don't want to impose the complexity of DNSSEC on others until
I'm fully confident working with it myself.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/

Previous message: [Systems] Lightwave upgraded to lucid
Next message: [Systems] bender ssh key changed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Systems mailing list