VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Wes Hardaker
wjhns174 at hardakers.net
Thu Oct 13 18:15:20 UTC 2011
>>>>> On Thu, 13 Oct 2011 10:46:01 -0400 (EDT), Paul Wouters <paul at xelerance.com> said:
PW> Also, trusted the AD bit without trusting the last mile violates the
PW> RFC 3655 Section 3
[snip]
PW> If the ssh client grabs non-localhost resolver entries and trusts the AD
PW> bit, then that is a bug and should be reported upstream.
The other option is to do in-application validation which gets all the
way to the end-system.
We actually have some instrumented openssh RPMs that are based on the
Fedora RPM with an additional patch to support in-application DNSSEC
validation.
https://www.dnssec-tools.org/wiki/index.php/OpenSSH
https://www.dnssec-tools.org/download/
The implementation does a number of nice things, which includes
auto-accepting SSHFP keys that were verified via DNSSEC.
--
Wes Hardaker
My Pictures: http://capturedonearth.com/
My Thoughts: http://pontifications.hardakers.net/
More information about the devel
mailing list