Request to please enable VerifyHostKeyDNS for openssh-clients in FC7

Paul Wouters paul at xelerance.com
Fri Mar 23 20:05:08 UTC 2007 

I just installed openssh-clients-4.5p1-2.fc7 and noticed that the option
to use SSHFP DNS records is still not enabled. From the man page:

     VerifyHostKeyDNS
             Specifies whether to verify the remote key using DNS and SSHFP
             resource records.  If this option is set to yes, the client
             will implicitly trust keys that match a secure fingerprint from
             DNS.  Insecure fingerprints will be handled as if this option was
             set to ask.  If this option is set to ask, information on
             fingerprint match will be displayed, but the user will still need
             to confirm new host keys according to the StrictHostKeyChecking
             option.  The argument must be yes, no, or ask.  The default
             is no.  Note that this option applies to protocol version 2
             only.

             See also VERIFYING HOST KEYS in ssh(1).

The openssh package maintainer has told me in the past he does not want
to enable this option due to the "potential harm of an extra DNS lookup".

To me that seems like a weak argument against adding more security,
especially since the sshd already does plenty of reverse dns lookups on
the client to begin with. And with proper dns configuration, even without
having an SSHFP record, the delay of one dns lookup in the ssh client is
not going to exceed 100ms.

I maintain the "sshfp" package to generate these SSHFP records for hosts
or domains based on .ssh/known_hosts or ssy-keyscan, amking it trivially
easy for anyone who has their own domain to add SSHFP records to their
domain to make sure of this additional security feature.

SSHFP records are providing real security. It gives you an additional
hint on whether or not you can trust the remote host you are connecting
to for the first time. It will add some safetey for people who just hit
"yes" now to any new fingerprint presented by the ssh client (yeah sure,
no one admits to doing it, but everyone does)

Xelerance has deployed SSHFP records for over a year now. We do not
see any problems or even experience the extra wait time using an
ssh client with VerifyHostKeyDNS enabled. It has been active on all
openswan/xelerance domains and never prevented a single ssh client from
connecting to those servers.

We would really like to see this option enabled by default. If we miss
enabling this option for FC7, we will go through at least another six
months of changing every install of FC manually to enable this in the
/etc/ssh/ssh_config file.

Note that by now, RIPE's reverse tree is secured by DNSSEC. This covers
all IP space in Europe. The first two CC:TLD's (Sweden and Bulgaria) have
also enabled DNSSEC. This provides a very strong protection for SSHFP
records, though granted this will take some resolver configurations,
which is another topic that Fedora should at some point address for the
caching-resolver package.

So, I really hope that we can enable SSHFP record lookups in the ssh
client in its default configuration file.

As a sidenote, upgrading to the test2 version, i noticed there is no
openssh-askpass package anymore. Will the upgrade from FC6 to FC7 be
able to deal with this properly?

Paul

More information about the fedora-devel-list mailing list