VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Kevin Fenzi kevin at scrye.com
Wed Oct 12 19:47:09 UTC 2011


On Wed, 12 Oct 2011 15:43:42 -0400 (EDT)
Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 12 Oct 2011, Kevin Fenzi wrote:
> 
> > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> >  "VerifyHostKeyDNS yes")
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=180277
> https://bugzilla.redhat.com/show_bug.cgi?id=730558
> 
> You can't tell us to use this while at the same time refusing to make
> that security setting not the system default....
> 
> I asked for this back in 2006 ........

If the 'you' you are talking to here is me, which is what it reads
like: I am not the openssh maintainer. ;) 

> See the bug entry for my elaborate example showing you that DNS
> without DNSSEC does NOT lead to automatically connecting to servers
> you were never on before without prompting.

I completely agree with your reasoning and would love to have this
default in openssh. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20111012/1af45b84/attachment.bin 


More information about the devel mailing list