nanog mailing list archives
Re: Best practices inquiry: tracking SSH host keys
From: Simon Leinen <simon () limmat switch ch>
Date: Thu, 29 Jun 2006 10:19:21 +0200
Jeroen Massar writes:
The answer to your question: RFC4255 "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" http://www.ietf.org/rfc/rfc4255.txt
Yes, that's cool if your SSH client supports it (recent OpenSSH's do).
You will only need to stuff the FP's into SSHFP DNS RR's and turn on verification for these records on the clients. Done.
How do you get the SSH host key fingerprint of a Cisco into SSHFP syntax?
In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get the finger prints right.
Exactly. -- Simon.
Current thread:
- Best practices inquiry: tracking SSH host keys Phillip Vandry (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Allen Parker (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Jeroen Massar (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Simon Leinen (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys David W. Hankins (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys Christopher L. Morrow (Jun 29)
- Re: Best practices inquiry: tracking SSH host keys Jeroen Massar (Jun 28)
- Re: Best practices inquiry: tracking SSH host keys Allen Parker (Jun 28)