VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
kevin at scrye.com
Wed Oct 12 19:47:09 UTC 2011
On Wed, 12 Oct 2011 15:43:42 -0400 (EDT)
Paul Wouters <paul at xelerance.com> wrote:
> On Wed, 12 Oct 2011, Kevin Fenzi wrote:
> > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> > "VerifyHostKeyDNS yes")
> You can't tell us to use this while at the same time refusing to make
> that security setting not the system default....
> I asked for this back in 2006 ........
If the 'you' you are talking to here is me, which is what it reads
like: I am not the openssh maintainer. ;)
> See the bug entry for my elaborate example showing you that DNS
> without DNSSEC does NOT lead to automatically connecting to servers
> you were never on before without prompting.
I completely agree with your reasoning and would love to have this
default in openssh.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20111012/1af45b84/attachment.bin
More information about the devel