North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Best practices inquiry: tracking SSH host keys
- From: Jeroen Massar
- Date: Wed Jun 28 21:22:37 2006
- Openpgp: id=333E7C23;url=http://unfix.org/~jeroen/jeroen-unfix.org-pgpkey
On 6/28/06, Phillip Vandry <vandry@tzone.org> wrote:
> SSH implements neither a CA hierarchy (like X.509 certificates) nor
> a web of trust (like PGP) so you are left checking the validity of
> host keys yourself. Still, it's not so bad if you only connect to a
> small handful of well known servers. You will either have verified
> them all soon enough and not be bothered with it anymore, or system
> administrators will maintain a global known_hosts file that lists
> all the correct ones.
The answer to your question: RFC4255
"Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
http://www.ietf.org/rfc/rfc4255.txt
You will only need to stuff the FP's into SSHFP DNS RR's and turn on
verification for these records on the clients. Done.
In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get
the finger prints right.
Greets,
Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature
|
