nanog mailing list archives
Re: Best practices inquiry: tracking SSH host keys
From: Jeroen Massar <jeroen () unfix org>
Date: Thu, 29 Jun 2006 03:20:53 +0200
On 6/28/06, Phillip Vandry <vandry () tzone org> wrote:
SSH implements neither a CA hierarchy (like X.509 certificates) nor a web of trust (like PGP) so you are left checking the validity of host keys yourself. Still, it's not so bad if you only connect to a small handful of well known servers. You will either have verified them all soon enough and not be bothered with it anymore, or system administrators will maintain a global known_hosts file that lists all the correct ones.
The answer to your question: RFC4255 "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" http://www.ietf.org/rfc/rfc4255.txt You will only need to stuff the FP's into SSHFP DNS RR's and turn on verification for these records on the clients. Done. In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get the finger prints right. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Best practices inquiry: tracking SSH host keys Phillip Vandry (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Allen Parker (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Jeroen Massar (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Simon Leinen (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys David W. Hankins (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys Jeroen Massar (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Allen Parker (Jun 28)