On Fri, Aug 06, 2010 at 04:31:00AM -0500, Mike McGrath wrote: > On Fri, 6 Aug 2010, Till Maas wrote: > > > On Thu, Aug 05, 2010 at 04:32:36PM -0500, Mike McGrath wrote: > > > On Thu, 5 Aug 2010, Till Maas wrote: > > > > > > Yes ssh is secure if used properly. To get the proper known_hosts entry, > > > > one has to download https://admin.fedoraproject.org/ssh_known_hosts btw. > > > > > > > > > > We also use SSHFP records for those of you that want to enable > > > VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts > > > have it but many of our 'user' based external hosts do (pkgs, > > > fedorapeople, fedorahosted, etc) > > > > Afaik the SSHFP records are not protected against tampering by an MITM > > attacker. > > > > They're better then ssh alone. They're only used for the first initation. > So you'd have to be MITM'ed on the first connection in which case you're > right, they wouldn't protect against that. Afaik using the SSHFP records make SSH not warn the user that the host key is not verified. If SSH would e.g. warn that the host key is unknown, but at least matches the SSHFP record, then it might be a little better. But actually it makes MITM attacks easier, because if one tampers the DNS response and the SSH connection, then the user does not even get a warning on the first attempt, making the situation even worse IMHO. And SSH is only vulnerable to MITM attacks on the first connection in general and I guess that SSHFP records are not used anymore after the first connection. What would they be good for when the host key is already known to SSH? Regards Till
Attachment:
pgpNZZqgxS2GX.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
