Request to please enable VerifyHostKeyDNS for openssh-clients in FC7
nodata
lsof at nodata.co.uk
Fri Mar 23 21:05:43 UTC 2007
Am Freitag, den 23.03.2007, 21:05 +0100 schrieb Paul Wouters:
> I just installed openssh-clients-4.5p1-2.fc7 and noticed that the option
> to use SSHFP DNS records is still not enabled. From the man page:
>
> VerifyHostKeyDNS
> Specifies whether to verify the remote key using DNS and SSHFP
> resource records. If this option is set to yes, the client
> will implicitly trust keys that match a secure fingerprint from
> DNS. Insecure fingerprints will be handled as if this option was
> set to ask. If this option is set to ask, information on
> fingerprint match will be displayed, but the user will still need
> to confirm new host keys according to the StrictHostKeyChecking
> option. The argument must be yes, no, or ask. The default
> is no. Note that this option applies to protocol version 2
> only.
>
> See also VERIFYING HOST KEYS in ssh(1).
>
> The openssh package maintainer has told me in the past he does not want
> to enable this option due to the "potential harm of an extra DNS lookup".
>
> To me that seems like a weak argument against adding more security,
> especially since the sshd already does plenty of reverse dns lookups on
> the client to begin with. And with proper dns configuration, even without
> having an SSHFP record, the delay of one dns lookup in the ssh client is
> not going to exceed 100ms.
>
> I maintain the "sshfp" package to generate these SSHFP records for hosts
> or domains based on .ssh/known_hosts or ssy-keyscan, amking it trivially
> easy for anyone who has their own domain to add SSHFP records to their
> domain to make sure of this additional security feature.
>
> SSHFP records are providing real security. It gives you an additional
> hint on whether or not you can trust the remote host you are connecting
> to for the first time. It will add some safetey for people who just hit
> "yes" now to any new fingerprint presented by the ssh client (yeah sure,
> no one admits to doing it, but everyone does)
>
> Xelerance has deployed SSHFP records for over a year now. We do not
> see any problems or even experience the extra wait time using an
> ssh client with VerifyHostKeyDNS enabled. It has been active on all
> openswan/xelerance domains and never prevented a single ssh client from
> connecting to those servers.
>
> We would really like to see this option enabled by default. If we miss
> enabling this option for FC7, we will go through at least another six
> months of changing every install of FC manually to enable this in the
> /etc/ssh/ssh_config file.
>
> Note that by now, RIPE's reverse tree is secured by DNSSEC. This covers
> all IP space in Europe. The first two CC:TLD's (Sweden and Bulgaria) have
> also enabled DNSSEC. This provides a very strong protection for SSHFP
> records, though granted this will take some resolver configurations,
> which is another topic that Fedora should at some point address for the
> caching-resolver package.
>
> So, I really hope that we can enable SSHFP record lookups in the ssh
> client in its default configuration file.
>
> As a sidenote, upgrading to the test2 version, i noticed there is no
> openssh-askpass package anymore. Will the upgrade from FC6 to FC7 be
> able to deal with this properly?
>
> Paul
>
Can I check something? Is SSHFP not useful unless dnssec is on?
More information about the fedora-devel-list
mailing list