[Bug 1296] VerifyHostKeyDNS default domain

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Apr 17 18:42:46 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=1296

--- Comment #9 from Christoph Lechleitner <christoph.lechleitner at iteg.at> ---
Thanks for commenting so fast in a closed issue.

I can confirm the Canonical* options work for me, Thanks!

A few details for whoever else may be led here by Google:

In Debian wheezy, the wheezy-backports repository needs to be enabled
to get 6.5.

I trust DNS and CNAMEs because I have full control over our nameservers
and I don't use other nameservers (except for DNS update penetration
tests).

Here are the Canonical options with default values (first mentioning of
each option) and example values based on my ssh_config:

#CanonicalDomains
CanonicalDomains internal.site.mydomain.foo mydomain.foo
partners.mydomain.foo 

#CanonicalizeFallbackLocal no
CanonicalizeFallbackLocal yes

#CanonicalizeHostname no
#CanonicalizeHostname yes
CanonicalizeHostname always

CanonicalizeMaxDots 1

CanonicalizePermittedCNAMEs *.mydomain.foo:*

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list