You are viewing mmcgrath

Previous Entry | Next Entry

SSHFP records?

mmcgrath-head
So I learned about SSHFP records at FUDCon and decided to implement them for some of our externally facing sites like cvs.fedoraproject.org, fedorapeople.org and git.fedorahosted.org (and others).

What is an SSHFP record? It's a ssh host key in DNS so you can verify it is correct. For example you can run:

$ dig SSHFP git.fedorahosted.org

Which will get you:

git.fedorahosted.org. 85975 IN SSHFP 2 1 DE382873ABE19B40AEFE714D686E15E16EAD5177
git.fedorahosted.org. 85975 IN SSHFP 1 1 A843ECED826C2F0075888150E89AE4567CD37D7F

So how can you use this information? Set VerifyHostKeyDNS to yes in your ssh_config (man ssh_config for more info, but you'll probably want to place it in your ~/.ssh/config file)

Comments

( 8 comments — Leave a comment )
(Anonymous)
Jan. 5th, 2010 08:29 am (UTC)
monkeysphere FTW
Dude, monkeysphere FTW! Add your SSH keys to the GPG web of trust.

http://web.monkeysphere.info/
berrange
Jan. 5th, 2010 09:53 am (UTC)
Security of DNS ?
NB, it appears that using DNS for distributing SSH host keys is only secure if both the SSH client machine & Fedora's DNS servers are using DNSSEC, otherwise you can't trust those SSHFP records

http://tools.ietf.org/html/rfc4255

[quote 4. Security Considerations]
The overall security of using SSHFP for SSH host key verification is
dependent on the security policies of the SSH host administrator and
DNS zone administrator (in transferring the fingerprint), detailed
aspects of how verification is done in the SSH implementation, and in
the client's diligence in accessing the DNS in a secure manner.
[/quote]

(Anonymous)
Jan. 5th, 2010 12:40 pm (UTC)
Re: Security of DNS ?
Having the security that depend on ssh and dns seems slightly better than depending on ssh alone. I would also say we need to test this right now, so we will have enough experience when DNSSEC will be more widely deployed.
berrange
Jan. 5th, 2010 12:53 pm (UTC)
Re: Security of DNS ?
The current system is not depending on ssh alone. If you SSH to any Fedora server, it is possible to verify the keys against the published values hosted on a secure HTTPS source

https://admin.fedoraproject.org/fingerprints

Admittedly this is a manual verification process, but the data source itself can be trusted assuming the webserver has a suitably signed certificate. If you do not use DNSSEC, then to use SSHFP is to replace a secure, manual process with an insecure, automated process. This does not seem like a win to me.
mmcgrath
Jan. 5th, 2010 02:42 pm (UTC)
Re: Security of DNS ?
we're not replacing anything, just adding additional ways of doing verification. In our case almost no one knows about fingerprints but there are people doing sshfp verifiction (think fedorahosted where people aren't that involved in Fedora but are contributing to upstream code).

Also, we have dnssec configured but not completely setup yet.
muerte
Jan. 5th, 2010 04:33 pm (UTC)
I've never heard of SSHFP, but it's pretty cool. Thanks for the info.
(Anonymous)
Aug. 9th, 2010 09:18 pm (UTC)
My own mksshfp script.
Note that "sshfp" kind of sucks, so I threw together a quick "mksshfp" which sucks in different ways and you can get it from http://jafo.tummy.com/mksshfp

It doesn't take any options, but it *DOES* look in your configs to try to find all your known_hosts files (via the GlobalKnownHostsFile option) and it does seem to display information about known_hosts entries that "sshfp" didn't seem to.

Sean
(Anonymous)
Dec. 20th, 2010 08:10 am (UTC)
Microsoft Office 2007
As I write this post—longhandOffice 2010 (http://www.software-hotbuy.com/)in a spiral notebook—I’m 20,000 feet above eastern Washington, having Microsoft Office 2010 (http://www.software-hotbuy.com/)just crossed above the Cascades on my return flight Microsoft word (http://www.software-hotbuy.com/)to Chicago. I visited Seattle for the weekend to Office 2007 (http://www.software-hotbuy.com/)and I have known each other for 20 years now. They Microsoft Office (http://www.software-hotbuy.com/)had a lovely ceremony, and the trip in general was fantastic.Microsoft Office 2007 (http://www.software-hotbuy.com/)In the 13 years since I left Seattle, I’ve Office 2007 key (http://www.software-hotbuy.com/)visited six or seven times, and I always return to wherever has Office 2007 download (http://www.software-hotbuy.com/)Office 2007 Professional (http://www.software-hotbuy.com/)become home with mixed feelings about the place. It Outlook 2010 (http://www.software-hotbuy.com/)both alarms and pleases me to see howMicrosoft outlook (http://www.software-hotbuy.com/)that once-familiar areas seem almost foreign. ForMicrosoft outlook 2010 (http://www.software-hotbuy.com/)neighborhoods have changed, to the point Windows 7 (http://www.software-hotbuy.com/windows-7-c-2.html) as have cookie-cutter, here-today-and-gone-tomorrow nightclubs that cater to the shiny shirt crowd.
( 8 comments — Leave a comment )

Latest Month

July 2013
S M T W T F S
 123456
78910111213
14151617181920
21222324252627
28293031   
Powered by LiveJournal.com
Designed by yoksel