have DNS based verification occur by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Hi,
openssh can lookup a host's key in the DNS (via the SSHFP record) and use it compare hosts presented public key.
VerifyHostKeyDNS yes
I believe that is the connection is secured via DNSSEC that this option will allow for the host's key to be automagically accepted. However I have not verified that myself.
However I have had this personally set to 'Yes' and for initial connection to hosts which are NOT secured via DNSSEC I am prompted to accept the key.
If you want to be more cautious with the change then perhaps setting 'VerifyHostKeyDNS ask' would be better.
Either way, I think that making this the default option will:
- increase security for those who choose to deploy SSHFP
- increased awareness of this ability
The only downside is that a connection will make external calls to the DNS to determine if a SSHFP record exists.
It would be great if this change could be made before 12.04 is released.
Changed in openssh (Ubuntu): | |
importance: | Undecided → Wishlist |
Meant to say that /etc/ssh/config would be the place to put the default configuration.