Re: ssh public key finger print



The GNOME Infrastructure has DNSSEC configured on many of the hosted
zones already. [1]

I can confirm sshing into bastion.gnome.org with VerifyHostKeyDNS set
as 'true' works as expected for me:

debug1: Server host key: RSA 2b:e6:66:91:c6:84:2f:92:cb:0d:c3:fa:d9:9a:6a:10
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: ssh_rsa_verify: signature correct

If you run the above dig query without the +short flag you'll see the
following line on the top of the output:

flags: qr rd ra ad;

AD stands for "Authenticated Data" which is what you would expect in
this case. The RFC [2] has more details about what AD is all about.

[1] https://wiki.gnome.org/Sysadmin/SOP/DNSZoneUpdates
[2] https://tools.ietf.org/html/rfc3655

2015-02-13 16:42 GMT+01:00 Peter Baumgarten <me peter-baumgarten com>:
Oh yes, I did the same thing, but when I tried sshing into bastion it
prompted me to confirm the public key fingerprint.  I checked that
VerifyHostKeyDNS was set to yes in my /etc/ssh/ssh_config file.  I was
wondering why I was still be prompted to confirm that I trusted the
fingerprint.  I did some research and the openssh client will not accept an
SSHFP record unless it comes from a trusted DNS zone.  My understanding is
the zone the SSHFP record comes from has to have DNNSEC setup and be signed
with a chain going all the way to root DNS zone so as to prevent a MITM
attack.  I think this will beneficial for new users and servers where if
they have VerifyHostKeyDNS in their ssh_config file they will not be
prompted to trust the fingerprint because they can look it up in DNS and can
trust it.  That was my idea, I also understand that DNSSEC might be PITA to
setup correctly and not worth it.

On Fri, Feb 13, 2015 at 9:02 AM, Andrea Veri <av gnome org> wrote:

Hey Peter,

the SSHFP record is there already for bastion.gnome.org as dig can
confirm:

dig +short SSHFP bastion.gnome.org
1 1 6A3B7CAA1210CA3627C430E84CEE95A0A2F18B88

2015-02-12 21:46 GMT+01:00 Peter Baumgarten <me peter-baumgarten com>:
Any interest in having SSHFP records come from a signed DNS zone with
DNSSEC? So that way when VerifyHostKeyDNS is set to yes in someones ssh
config they will not be prompted to verify the public key fingerprint.

On Thu, 2015-02-12 at 08:37 +0100, Andrea Veri wrote:
That's correct:

2048 2b:e6:66:91:c6:84:2f:92:cb:0d:c3:fa:d9:9a:6a:10
/etc/ssh/ssh_host_rsa_key.pub (RSA)

This also reminded me I should setup a SSHFP record for
bastion.gnome.org. That has been done and waiting for Puppet to pick
up the changes.


2015-02-12 3:26 GMT+01:00 Peter Baumgarten <me peter-baumgarten com>:
Does anyone know what the ssh public key fingerprint should be for
bastion.gnome.org? I got a RSA key fingerprint
2b:e6:66:91:c6:84:2f:92:cb:0d:c3:fa:d9:9a:6a:10 with an ip of
209.132.180.166

_______________________________________________
gnome-infrastructure mailing list
gnome-infrastructure gnome org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure







--
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
GNOME Foundation Board of Directors Secretary,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av





-- 
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
GNOME Foundation Board of Directors Secretary,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]