[Bug 825825] Re: have DNS based verification occur by default
Dave Walker
davewalker at ubuntu.com
Thu Aug 18 22:34:03 UTC 2011
** Changed in: openssh (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/825825
Title:
have DNS based verification occur by default
Status in “openssh” package in Ubuntu:
New
Bug description:
Hi,
openssh can lookup a host's key in the DNS (via the SSHFP record) and
use it compare hosts presented public key.
VerifyHostKeyDNS yes
I believe that is the connection is secured via DNSSEC that this
option will allow for the host's key to be automagically accepted.
However I have not verified that myself.
However I have had this personally set to 'Yes' and for initial
connection to hosts which are NOT secured via DNSSEC I am prompted to
accept the key.
If you want to be more cautious with the change then perhaps setting
'VerifyHostKeyDNS ask' would be better.
Either way, I think that making this the default option will:
- increase security for those who choose to deploy SSHFP
- increased awareness of this ability
The only downside is that a connection will make external calls to the
DNS to determine if a SSHFP record exists.
It would be great if this change could be made before 12.04 is
released.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/825825/+subscriptions
More information about the foundations-bugs
mailing list