On Fri, Aug 06, 2010 at 04:34:19AM -0500, Mike McGrath wrote: > On Fri, 6 Aug 2010, Mike McGrath wrote: > > On Fri, 6 Aug 2010, Till Maas wrote: > > > On Thu, Aug 05, 2010 at 04:32:36PM -0500, Mike McGrath wrote: > > > > We also use SSHFP records for those of you that want to enable > > > > VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts > > > > have it but many of our 'user' based external hosts do (pkgs, > > > > fedorapeople, fedorahosted, etc) > > > > > > Afaik the SSHFP records are not protected against tampering by an MITM > > > attacker. <snip> > > Side note on this: Combined with DNSSEC, this actually would protect > against a MITM attacker.
Not only that, but they *are* signed, and the signing key is in the ISC DLV registry. You just need a name server that has DNSSEC enabled and uses the ISC DLV registry (output trimmed for relevance): $ dig +adflag -t sshfp pkgs.fedoraproject.org ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;pkgs.fedoraproject.org. IN SSHFP ;; ANSWER SECTION: pkgs.fedoraproject.org. 3600 IN SSHFP 1 1 2AB094461D34656B4704B4EDBCF002A09EBCE4F7 Note the ad flag, which indicates that the answer is authentic. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
