Best practices inquiry: tracking SSH host keys

• Previous message (by thread): Best practices inquiry: tracking SSH host keys
• Next message (by thread): Best practices inquiry: tracking SSH host keys
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/28/06, Phillip Vandry <vandry at tzone.org> wrote:

> SSH implements neither a CA hierarchy (like X.509 certificates) nor
> a web of trust (like PGP) so you are left checking the validity of
> host keys yourself. Still, it's not so bad if you only connect to a
> small handful of well known servers. You will either have verified
> them all soon enough and not be bothered with it anymore, or system
> administrators will maintain a global known_hosts file that lists
> all the correct ones.

The answer to your question: RFC4255
"Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
http://www.ietf.org/rfc/rfc4255.txt

You will only need to stuff the FP's into SSHFP DNS RR's and turn on
verification for these records on the clients. Done.

In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get
the finger prints right.

Greets,
 Jeroen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 238 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20060629/a660d7fb/attachment.sig>

• Previous message (by thread): Best practices inquiry: tracking SSH host keys
• Next message (by thread): Best practices inquiry: tracking SSH host keys
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]