Bootstrapping SSH security
Philip Homburg
pch-openssh at u-1.phicoh.com
Thu Aug 20 19:07:32 AEST 2015
In your letter dated Wed, 19 Aug 2015 08:44:47 +0300 you wrote:
>Are there reasons why we couldn't out-of-the-package trust on SSHFP
>when found with validating DNSSEC?
There is currently some support for SSHFP in openssh, but it doesn't really
work.
I created a patch to fix the issue and put a fork up on github:
https://github.com/phicoh/openssh-getdns/tree/getdns
Note that you have to enable this in configure with '--with-getdns' and
use -o 'VerifyHostKeyDNS yes' to enable the feature at runtime.
More information about the openssh-unix-dev
mailing list