Le 27/09/2013 13:57, Greg Troxel a écrit :
Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost> writes:+# Some NetBSD's hosts provide SSHFP records - try checking them +Host *.netbsd.org + VerifyHostKeyDNS askNot really objecting, but: Why only for netbsd.org?
Because I know admins@ add SSHFP records for the hosts managed by TNF. For other domains... well, I am not so sure about that :)
Does upstream OpenSSH enable this by default?
Nope
Why or why not?
Wild guess:- that would force a DNS lookup for each host you connect to, but the amount of admins that add SSHFP records to their DNS is almost zero. We have chance there: spz does, so I limit this to TNF hosts to be meaningful. - without DNSSEC it is purely informational: DNS is insecure by design, you cannot replace a "strict" fingerprint check by a simple DNS lookup. It is weaker, but still better than nothing.
In the future we could base SSH key validation on DNS; this would be the first step. A bit like the TLSA record (spz@ pinged me about it) for server certificates. Just see this as a pro-active step, without any real drawback (at least from my PoV, that's why I am asking on -users@).
Cheers, -- Jean-Yves Migeon