VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Paul Wouters paul at xelerance.com
Wed Oct 12 19:43:42 UTC 2011


On Wed, 12 Oct 2011, Kevin Fenzi wrote:

> * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
>  "VerifyHostKeyDNS yes")

https://bugzilla.redhat.com/show_bug.cgi?id=180277
https://bugzilla.redhat.com/show_bug.cgi?id=730558

You can't tell us to use this while at the same time refusing to make
that security setting not the system default....

I asked for this back in 2006 ........

See the bug entry for my elaborate example showing you that DNS without DNSSEC
does NOT lead to automatically connecting to servers you were never on before
without prompting.

Paul


More information about the devel mailing list