Request to please enable VerifyHostKeyDNS for openssh-clients in FC7
Paul Wouters
paul at xelerance.com
Sat Mar 24 00:56:55 UTC 2007
On Fri, 23 Mar 2007, nodata wrote:
> Can I check something? Is SSHFP not useful unless dnssec is on?
It is still very much useful.
First of all, in the case of a trusted network, say a big university campus.
Using sshfp records, administrators can add new machines to the network and
put their sshfp records in DNS. You will be able to trust the keys for those
machines if you trust your campus dns server. The only other known alternative
to me for such ssh fingerprint deployments is putting the keys into an LDAP
server. Or put it on some web page, which is not very useful for automation.
As for when you are on an untrusted network, an attacker would now have to
both spoof your traffic to the DNS servers and man in the middle your ssh
session. If you would use your own DNS, instead of a dhcp assigned one, the
attacker would have to spoof more then just ssh. If you would be using a
DNS server through a VPN, the attacker just can't spoof it at all.
There is not question that SSHFP will become much more useful when combined
with DNSSEC. But DNSSEC is already here and deployed. Some CC:TLD's deploy it.
Many testbeds exist, and orgnaisations internally are using it.
eg, an ssh session where VerifyHostDNS is enabled, would look like:
[paul at bofh ]$ ssh paul at www.xelerance.com
The authenticity of host 'www.xelerance.com (193.110.157.145)' can't be established.
RSA key fingerprint is ae:e2:07:ed:6e:fe:d9:0a:fc:a1:36:b7:ed:62:35:13.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
It is still up to the human to make the decision. When a key would change,
eg by a sysadmin or a hacker, you would get the additional LOUD warning
about the "mismatching host key fingerprint found in DNS" which would
clearly bring the point across that the ssh key changed and the admin didn't
update the DNS, so therefor it is likely the admin didn't change the key,
and your connection is being 'man in the middled'.
To me, the important part is, we do not LOSE anything by enabling it. But we
do facilitate early adopters of SSHFP and DNSSEC.
Paul
More information about the fedora-devel-list
mailing list