[91069] in North American Network Operators' Group
Re: Best practices inquiry: tracking SSH host keys
daemon@ATHENA.MIT.EDU (Simon Leinen)
Thu Jun 29 04:19:52 2006
From: Simon Leinen <simon@limmat.switch.ch>
To: Jeroen Massar <jeroen@unfix.org>
Cc: nanog@nanog.org
In-Reply-To: <44A32AF5.4080705@unfix.org> (Jeroen Massar's message of "Thu, 29
Jun 2006 03:20:53 +0200")
Date: Thu, 29 Jun 2006 10:19:21 +0200
Errors-To: owner-nanog@merit.edu
Jeroen Massar writes:
> The answer to your question: RFC4255
> "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
> http://www.ietf.org/rfc/rfc4255.txt
Yes, that's cool if your SSH client supports it (recent OpenSSH's do).
> You will only need to stuff the FP's into SSHFP DNS RR's and turn on
> verification for these records on the clients. Done.
How do you get the SSH host key fingerprint of a Cisco into SSHFP syntax?
> In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get
> the finger prints right.
Exactly.
--
Simon.
