Re: Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sat, 2019-02-23 at 22:23 +0300, Yegor Ievlev wrote:
> Well, known_hosts isn't exactly trusted input, since it's usually
> composed of the keys you first encounter
If someone accepts keys without checking them, he cannot be helped.


>  without any additional
> checking, as opposed to (hopefully) correctly signed SSHFP records.
In fact, SSHFP is far less trustworthy, than properly exchanged host
keys (respectively fingerprints).

Anyone in the tree of the DNS down to the domain with your SSHFP RR has
the potential power to forge such RR.


C.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux