[Bug 207725] Review Request: sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan

bugzilla at redhat.com bugzilla at redhat.com
Fri Sep 22 19:45:54 UTC 2006 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207725





------- Additional Comments From paul at xelerance.com  2006-09-22 15:45 EST -------
It changes /etc/sshd/ssh_config not /etc/sshd/sshd_config. It only changes the
behaviour of the ssh client. 

    VerifyHostKeyDNS
             Specifies whether to verify the remote key using DNS and SSHFP
             resource records.  If this option is set to “yes”, the client
             will implicitly trust keys that match a secure fingerprint from
             DNS.  Insecure fingerprints will be handled as if this option was
             set to “ask”.  If this option is set to “ask”, information on
             fingerprint match will be displayed, but the user will still need
             to confirm new host keys according to the StrictHostKeyChecking
             option.  The argument must be “yes”, “no” or “ask”.  The default
             is “no”.  Note that this option applies to protocol version 2
             only.


I do see your point about not installing this package everywhere, and as such
enabling VerifyHostKeyDNS in the ssh client configuration is not very useful.

I choose to enable it so that I can generate sshfp records on the same machine
that I use to test the SSHFP records work properly.

Do you still think it is a problem to enable this?

The user will still be prompted for the new key, but an additional message
appears saying the key matches the DNS entry for it. Extra big warning banners
happen when you're being MITM'ed by someone redirecting your port 22 stream.

I don't understand why RedHat does not enable VerifyHostKeyDNS. It only adds to
security, at the expense of one DNS lookup. Especially with the first DNSSEC
TLD's being in full production (amonst them all of RIPE-NCC's reverse!)



-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the Fedora-package-review mailing list