Browse Source

ssh_config: update comment for VerifyHostKeyDNS

OpenSSH is evil and gives you three not-optimal options to this:

A) trust DNSSEC and don't write known_hosts
B) ask whether to trust DNS, but don't bother telling me if it's signed
C) don't even check SSHFP

I see A) as the least evil, but I wish known_hosts was written.
Alternatively B) should tell me whether there is DNSSEC or not, not
only "matching keys found from DNS" or whatever it says always.
remotes/blesmrt/master
Mikaela Suomalainen 8 months ago
parent
commit
e634ee8863
Signed by: Mikaela Suomalainen <mikaela+git@mikaela.info> GPG Key ID: 0C207F07B2F32B67
2 changed files with 10 additions and 10 deletions
  1. +5
    -5
      .mikaela/ssh/config
  2. +5
    -5
      etc/ssh/ssh_config

+ 5
- 5
.mikaela/ssh/config View File

@@ -42,11 +42,11 @@ Host *
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
UseRoaming no

# Verify SSHFP records. In case DNSSEC is used this skips the
# question on whether you trust the fingerprint or not.
# All my hosts run DNSSEC validating Unbound on localhost and use it
# for all DNS queries. Yours should too.
VerifyHostKeyDNS yes
# Verify SSHFP records. If this is yes, the question is skipped when
# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
# However with "ask" you won't be told whether the zone is signed, so
# I consider "yes" to be the least evil.
VerifyHostKeyDNS ask

Host aur.archlinux.org
User aur

+ 5
- 5
etc/ssh/ssh_config View File

@@ -43,8 +43,8 @@ Host *
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
UseRoaming no

# Verify SSHFP records. In case DNSSEC is used this skips the
# question on whether you trust the fingerprint or not.
# All my hosts run DNSSEC validating Unbound on localhost and use it
# for all DNS queries. Yours should too.
VerifyHostKeyDNS yes
# Verify SSHFP records. If this is yes, the question is skipped when
# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
# However with "ask" you won't be told whether the zone is signed, so
# I consider "yes" to be the least evil.
VerifyHostKeyDNS ask

Loading…
Cancel
Save