Re: Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Well, the most likely entity who can do that is your registrar, since
it can change your nameservers and DS records.

On Mon, Feb 25, 2019 at 3:51 AM Christoph Anton Mitterer
<calestyo@xxxxxxxxxxxx> wrote:
>
> On Sat, 2019-02-23 at 22:23 +0300, Yegor Ievlev wrote:
> > Well, known_hosts isn't exactly trusted input, since it's usually
> > composed of the keys you first encounter
> If someone accepts keys without checking them, he cannot be helped.
>
>
> >  without any additional
> > checking, as opposed to (hopefully) correctly signed SSHFP records.
> In fact, SSHFP is far less trustworthy, than properly exchanged host
> keys (respectively fingerprints).
>
> Anyone in the tree of the DNS down to the domain with your SSHFP RR has
> the potential power to forge such RR.
>
>
> C.
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux