Bootstrapping SSH security

Philip Homburg pch-openssh at u-1.phicoh.com
Thu Aug 20 19:07:32 AEST 2015


In your letter dated Wed, 19 Aug 2015 08:44:47 +0300 you wrote:
>Are there reasons why we couldn't out-of-the-package trust on SSHFP
>when found with validating DNSSEC?

There is currently some support for SSHFP in openssh, but it doesn't really
work.

I created a patch to fix the issue and put a fork up on github:
https://github.com/phicoh/openssh-getdns/tree/getdns

Note that you have to enable this in configure with '--with-getdns' and
use -o 'VerifyHostKeyDNS yes' to enable the feature at runtime.




More information about the openssh-unix-dev mailing list