Hello All, I have a client-server setup with about 100 nodes. We often install the OS and this results in change of host keys in our server. This necessiates the need to update all known_hosts files in the client machines. Im using the VerifyHostKeyDNS option in the client side where the DNS is updated with new finger print each time we change the host key. But still the SSH client verifies its known_hosts file even the DNS finger print matches. Is there any way to overcome clients local database checking if DNS finger print matches? What are the security issues associated with this way? Thanks, Senthil Kumar.
Senthil Kumar wrote:> I have a client-server setup with about 100 nodes. We often install the OS > and this results in change of host keys in our server. This necessiates the > need to update all known_hosts files in the client machines. Im using the > VerifyHostKeyDNS option in the client side where the DNS is updated with new > finger print each time we change the host key. But still the SSH client > verifies its known_hosts file even the DNS finger print matches. > > Is there any way to overcome clients local database checking if DNS finger > print matches? What are the security issues associated with this way?If your DNS is trusted (ie DNSSEC) then the fingerprints will be trusted too. Otherwise the DNS results are used as an additional check but are not trusted. If practical you could also save and restore the host keys during a rebuild. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Reasonably Related Threads
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
- VisualHostKey vs. RekeyLimit vs. VerifyHostKeyDNS
- changing group for root
- [Bug 2040] New: Downgrade attack vulnerability when checking SSHFP records
- OpenSSH fips compliance