Re: Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

On Mon, Feb 25, 2019 at 01:51:16AM +0100, Christoph Anton Mitterer wrote:
> Anyone in the tree of the DNS down to the domain with your SSHFP RR has
> the potential power to forge such RR.

This is why you only trust SSHFPs if they are DNSSEC validated.

(Of course the sysadmin who maintains your SSHFP zone entries needs to
be trusted, so you do not want to do this for zones hosted elsewhere)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert@xxxxxxxxxxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux