Am Freitag, den 23.03.2007, 21:05 +0100 schrieb Paul Wouters: > I just installed openssh-clients-4.5p1-2.fc7 and noticed that the option > to use SSHFP DNS records is still not enabled. From the man page: > > VerifyHostKeyDNS > Specifies whether to verify the remote key using DNS and SSHFP > resource records. If this option is set to yes, the client > will implicitly trust keys that match a secure fingerprint from > DNS. Insecure fingerprints will be handled as if this option was > set to ask. If this option is set to ask, information on > fingerprint match will be displayed, but the user will still need > to confirm new host keys according to the StrictHostKeyChecking > option. The argument must be yes, no, or ask. The default > is no. Note that this option applies to protocol version 2 > only. > > See also VERIFYING HOST KEYS in ssh(1). > > The openssh package maintainer has told me in the past he does not want > to enable this option due to the "potential harm of an extra DNS lookup". > > To me that seems like a weak argument against adding more security, > especially since the sshd already does plenty of reverse dns lookups on > the client to begin with. And with proper dns configuration, even without > having an SSHFP record, the delay of one dns lookup in the ssh client is > not going to exceed 100ms. > > I maintain the "sshfp" package to generate these SSHFP records for hosts > or domains based on .ssh/known_hosts or ssy-keyscan, amking it trivially > easy for anyone who has their own domain to add SSHFP records to their > domain to make sure of this additional security feature. > > SSHFP records are providing real security. It gives you an additional > hint on whether or not you can trust the remote host you are connecting > to for the first time. It will add some safetey for people who just hit > "yes" now to any new fingerprint presented by the ssh client (yeah sure, > no one admits to doing it, but everyone does) > > Xelerance has deployed SSHFP records for over a year now. We do not > see any problems or even experience the extra wait time using an > ssh client with VerifyHostKeyDNS enabled. It has been active on all > openswan/xelerance domains and never prevented a single ssh client from > connecting to those servers. > > We would really like to see this option enabled by default. If we miss > enabling this option for FC7, we will go through at least another six > months of changing every install of FC manually to enable this in the > /etc/ssh/ssh_config file. > > Note that by now, RIPE's reverse tree is secured by DNSSEC. This covers > all IP space in Europe. The first two CC:TLD's (Sweden and Bulgaria) have > also enabled DNSSEC. This provides a very strong protection for SSHFP > records, though granted this will take some resolver configurations, > which is another topic that Fedora should at some point address for the > caching-resolver package. > > So, I really hope that we can enable SSHFP record lookups in the ssh > client in its default configuration file. > > As a sidenote, upgrading to the test2 version, i noticed there is no > openssh-askpass package anymore. Will the upgrade from FC6 to FC7 be > able to deal with this properly? > > Paul > Can I check something? Is SSHFP not useful unless dnssec is on? -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
