Re: ssh public key finger print

From: Peter Baumgarten <me peter-baumgarten com>
To: Andrea Veri <av gnome org>
Cc: GNOME Infrastructure <gnome-infrastructure gnome org>
Subject: Re: ssh public key finger print
Date: Fri, 13 Feb 2015 09:42:17 -0600

Oh yes, I did the same thing, but when I tried sshing into bastion it prompted me to confirm the public key fingerprint. I checked that VerifyHostKeyDNS was set to yes in my /etc/ssh/ssh_config file. I was wondering why I was still be prompted to confirm that I trusted the fingerprint. I did some research and the openssh client will not accept an SSHFP record unless it comes from a trusted DNS zone. My understanding is the zone the SSHFP record comes from has to have DNNSEC setup and be signed with a chain going all the way to root DNS zone so as to prevent a MITM attack. I think this will beneficial for new users and servers where if they have VerifyHostKeyDNS in their ssh_config file they will not be prompted to trust the fingerprint because they can look it up in DNS and can trust it. That was my idea, I also understand that DNSSEC might be PITA to setup correctly and not worth it.

On Fri, Feb 13, 2015 at 9:02 AM, Andrea Veri <av gnome org> wrote:

Hey Peter,

the SSHFP record is there already for bastion.gnome.org as dig can confirm:

dig +short SSHFP bastion.gnome.org
1 1 6A3B7CAA1210CA3627C430E84CEE95A0A2F18B88

2015-02-12 21:46 GMT+01:00 Peter Baumgarten <me peter-baumgarten com>:
> Any interest in having SSHFP records come from a signed DNS zone with
> DNSSEC? So that way when VerifyHostKeyDNS is set to yes in someones ssh
> config they will not be prompted to verify the public key fingerprint.
>
> On Thu, 2015-02-12 at 08:37 +0100, Andrea Veri wrote:
>> That's correct:
>>
>> 2048 2b:e6:66:91:c6:84:2f:92:cb:0d:c3:fa:d9:9a:6a:10
>> /etc/ssh/ssh_host_rsa_key.pub (RSA)
>>
>> This also reminded me I should setup a SSHFP record for
>> bastion.gnome.org. That has been done and waiting for Puppet to pick
>> up the changes.
>>
>>
>> 2015-02-12 3:26 GMT+01:00 Peter Baumgarten <me peter-baumgarten com>:
>> > Does anyone know what the ssh public key fingerprint should be for
>> > bastion.gnome.org? I got a RSA key fingerprint
>> > 2b:e6:66:91:c6:84:2f:92:cb:0d:c3:fa:d9:9a:6a:10 with an ip of
>> > 209.132.180.166
>> >
>> > _______________________________________________
>> > gnome-infrastructure mailing list
>> > gnome-infrastructure gnome org
>> > https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
>>
>>
>>
>

--
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
GNOME Foundation Board of Directors Secretary,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av

Follow-Ups:
- Re: ssh public key finger print
  - From: Andrea Veri

References:
- ssh public key finger print
  - From: Peter Baumgarten
- Re: ssh public key finger print
  - From: Andrea Veri
- Re: ssh public key finger print
  - From: Peter Baumgarten
- Re: ssh public key finger print
  - From: Andrea Veri

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]