V Tue, Jul 02, 2024 at 02:50:17PM -0700, Kevin Fenzi napsal(a): > On Tue, Jul 02, 2024 at 02:21:40PM GMT, Chris Adams wrote: > > Once upon a time, Kevin Fenzi <kevin@xxxxxxxxx> said: > > > Please see https://fedoraproject.org/wiki/Infrastructure/fedorapeople.org > > > For more information, including information on adding our SSH CA or > > > using dnssec / sshfp to verify the ssh host key of the new host. > > > > AFAIK the default Fedora setup with systemd-resolved does not support > > DNSSEC for ssh using SSHFP records, and also the default SSH config > > doesn't have VerifyHostKeyDNS enabled (so even if ssh could get the > > record, with DNSSEC, it wouldn't use it). > > Yep, you need to enable dnssec in systemd-resolved (and have a > nameserver that supports it) and set VerifyHostKeyDNS=yes in ssh_config. > I added VerifyHostKeyDNS to the documentation. -- Petr
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
