combining openSSH and DNSSEC

Stefan Mangard smangard at gmx.net
Thu Aug 17 02:50:20 EST 2000


> That sounds like an interesting idea, but surely DNSSEC only makes
> sure that you get the authentic IP address?  If the connection is
> hijacked later on, you are no better off.

Actually I am going one step further. I also use the DNS features to
distribute the public host keys. 
The DNS server signs the host keys of all machines in a network. 
Therefore not only the IP is authenticated, but also the host itself.
The DNS server acts as a kind of key distribution server.
The advantage compared to the standard system lies in the fact that it is
only necessary to have the public key of the DNS server, which is used for
signing and not for each host of the network.

A page with all details will be online from tomorrow on. There will be a
link on the page:

http://www.cs.jhu.edu/hisl

The project name is LADON.

> Personally I am very interested in playing with different ways of
> doing authentication...

Me too ;-)

Stefan

-- 
Sent through GMX FreeMail - http://www.gmx.net





More information about the openssh-unix-dev mailing list