On Fri, Aug 06, 2010 at 04:34:19AM -0500, Mike McGrath wrote:
On Fri, 6 Aug 2010, Mike McGrath wrote:
> On Fri, 6 Aug 2010, Till Maas wrote:
> > On Thu, Aug 05, 2010 at 04:32:36PM -0500, Mike McGrath wrote:
> > > We also use SSHFP records for those of you that want to enable
> > > VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts
> > > have it but many of our 'user' based external hosts do (pkgs,
> > > fedorapeople, fedorahosted, etc)
> >
> > Afaik the SSHFP records are not protected against tampering by an MITM
> > attacker.
<snip>
Side note on this: Combined with DNSSEC, this actually would protect
against a MITM attacker.
Not only that, but they *are* signed, and the signing key is in the ISC
DLV registry. You just need a name server that has DNSSEC enabled and
uses the ISC DLV registry (output trimmed for relevance):
$ dig +adflag -t sshfp
pkgs.fedoraproject.org
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;pkgs.fedoraproject.org. IN SSHFP
;; ANSWER SECTION:
pkgs.fedoraproject.org. 3600 IN SSHFP 1 1 2AB094461D34656B4704B4EDBCF002A09EBCE4F7
Note the ad flag, which indicates that the answer is authentic.