Yegor Ievlev
2019-Feb-23 19:02 UTC
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Well, SSHFP is supposed to only be used on DNSSEC-enabled domains. On Sat, Feb 23, 2019 at 9:59 PM Peter Stuge <peter at stuge.se> wrote:> > Yegor Ievlev wrote: > > It would make more sense to treat SSHFP records in the same way as > > known_hosts > > I disagree with that - known_hosts is nominally a client-local configuration. > > I think it's a very bad idea to have the client start treating foreign network > input as equivalent to local configuration. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Peter Stuge
2019-Feb-23 19:15 UTC
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Yegor Ievlev wrote:> > I think it's a very bad idea to have the client start treating foreign > > network input as equivalent to local configuration. > > Well, SSHFP is supposed to only be used on DNSSEC-enabled domains.To the client it's still foreign input, even though it's signed by (best case) the remote site DNS administrator. //Peter
Yegor Ievlev
2019-Feb-23 19:23 UTC
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Well, known_hosts isn't exactly trusted input, since it's usually composed of the keys you first encounter, without any additional checking, as opposed to (hopefully) correctly signed SSHFP records. On Sat, Feb 23, 2019 at 10:22 PM Peter Stuge <peter at stuge.se> wrote:> > Yegor Ievlev wrote: > > > I think it's a very bad idea to have the client start treating foreign > > > network input as equivalent to local configuration. > > > > Well, SSHFP is supposed to only be used on DNSSEC-enabled domains. > > To the client it's still foreign input, even though it's signed by > (best case) the remote site DNS administrator. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Reasonably Related Threads
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
- Small issue with DNSSEC / SSHFP
- Suggestion: Deprecate SSH certificates and move to X.509 certificates