[91068] in North American Network Operators' Group
Re: Best practices inquiry: tracking SSH host keys
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Wed Jun 28 21:22:03 2006
Date: Thu, 29 Jun 2006 03:20:53 +0200
From: Jeroen Massar <jeroen@unfix.org>
To: nanog@nanog.org
In-Reply-To: <9f2790160606281807n70b26d58r310d4e1136899c8a@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig42AA9A030772415393A07F7E
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 6/28/06, Phillip Vandry <vandry@tzone.org> wrote:
> SSH implements neither a CA hierarchy (like X.509 certificates) nor
> a web of trust (like PGP) so you are left checking the validity of
> host keys yourself. Still, it's not so bad if you only connect to a
> small handful of well known servers. You will either have verified
> them all soon enough and not be bothered with it anymore, or system
> administrators will maintain a global known_hosts file that lists
> all the correct ones.
The answer to your question: RFC4255
"Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
http://www.ietf.org/rfc/rfc4255.txt
You will only need to stuff the FP's into SSHFP DNS RR's and turn on
verification for these records on the clients. Done.
In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get
the finger prints right.
Greets,
Jeroen
--------------enig42AA9A030772415393A07F7E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iD8DBQFEoyr9KaooUjM+fCMRAqCdAJ9zeGBGZbnro/mjMSMKvJztU9ALnQCgu7GV
WWCRsAh2ZQ352cmb6WrhPvo=
=zl+u
-----END PGP SIGNATURE-----
--------------enig42AA9A030772415393A07F7E--
