Request to please enable VerifyHostKeyDNS for openssh-clients in FC7

Fri Mar 23 21:05:43 UTC 2007

Am Freitag, den 23.03.2007, 21:05 +0100 schrieb Paul Wouters:
> I just installed openssh-clients-4.5p1-2.fc7 and noticed that the option
> to use SSHFP DNS records is still not enabled. From the man page:
> 
>      VerifyHostKeyDNS
>              Specifies whether to verify the remote key using DNS and SSHFP
>              resource records.  If this option is set to yes, the client
>              will implicitly trust keys that match a secure fingerprint from
>              DNS.  Insecure fingerprints will be handled as if this option was
>              set to ask.  If this option is set to ask, information on
>              fingerprint match will be displayed, but the user will still need
>              to confirm new host keys according to the StrictHostKeyChecking
>              option.  The argument must be yes, no, or ask.  The default
>              is no.  Note that this option applies to protocol version 2
>              only.
> 
>              See also VERIFYING HOST KEYS in ssh(1).
> 
> The openssh package maintainer has told me in the past he does not want
> to enable this option due to the "potential harm of an extra DNS lookup".
> 
> To me that seems like a weak argument against adding more security,
> especially since the sshd already does plenty of reverse dns lookups on
> the client to begin with. And with proper dns configuration, even without
> having an SSHFP record, the delay of one dns lookup in the ssh client is
> not going to exceed 100ms.
> 
> I maintain the "sshfp" package to generate these SSHFP records for hosts
> or domains based on .ssh/known_hosts or ssy-keyscan, amking it trivially
> easy for anyone who has their own domain to add SSHFP records to their
> domain to make sure of this additional security feature.
> 
> SSHFP records are providing real security. It gives you an additional
> hint on whether or not you can trust the remote host you are connecting
> to for the first time. It will add some safetey for people who just hit
> "yes" now to any new fingerprint presented by the ssh client (yeah sure,
> no one admits to doing it, but everyone does)
> 
> Xelerance has deployed SSHFP records for over a year now. We do not
> see any problems or even experience the extra wait time using an
> ssh client with VerifyHostKeyDNS enabled. It has been active on all
> openswan/xelerance domains and never prevented a single ssh client from
> connecting to those servers.
> 
> We would really like to see this option enabled by default. If we miss
> enabling this option for FC7, we will go through at least another six
> months of changing every install of FC manually to enable this in the
> /etc/ssh/ssh_config file.
> 
> Note that by now, RIPE's reverse tree is secured by DNSSEC. This covers
> all IP space in Europe. The first two CC:TLD's (Sweden and Bulgaria) have
> also enabled DNSSEC. This provides a very strong protection for SSHFP
> records, though granted this will take some resolver configurations,
> which is another topic that Fedora should at some point address for the
> caching-resolver package.
> 
> So, I really hope that we can enable SSHFP record lookups in the ssh
> client in its default configuration file.
> 
> As a sidenote, upgrading to the test2 version, i noticed there is no
> openssh-askpass package anymore. Will the upgrade from FC6 to FC7 be
> able to deal with this properly?
> 
> Paul
> 

Can I check something? Is SSHFP not useful unless dnssec is on?