choose the right sshfp

Lukasz Stelmach lukasz.stelmach at telmark.waw.pl
Thu Aug 7 19:19:47 EST 2008


Greetings.

I've set up several sshfp records some time ago. Everything works great
except the way openssh chooses the sshfp record. Now it looks liek the
client asks for the name supplied on the command line. It might
be a bit trouble some since there are at least three ways to set up
some aliases and at leas one of them is secure. 

I propose an alternative way which even seems more robust as far
as multihoming is concerned.

1. Get the name from the command line.
2. Connect the host.
3. Ask the socket for the address of the remote host
   (important for multihoming)
4. Make revDNS query to get the "real name".
5. Look for an SSHFP for the "real name".

Of course this procedure might (I have not analysed it carefully) pose
some security risks so it should be optional. Or even more, it should be
allowed only for some hosts based on both IP and name (eg. *.example.com
and 192.0.2.128/26).

PS. Please CC the answers, I haven't subscribed the list.
-- 
Best regards,
>Łukasz<


More information about the openssh-unix-dev mailing list