ssh_config: update comment for VerifyHostKeyDNS

OpenSSH is evil and gives you three not-optimal options to this:

A) trust DNSSEC and don't write known_hosts
B) ask whether to trust DNS, but don't bother telling me if it's signed
C) don't even check SSHFP

I see A) as the least evil, but I wish known_hosts was written.
Alternatively B) should tell me whether there is DNSSEC or not, not
only "matching keys found from DNS" or whatever it says always.
This commit is contained in:
Aminda Suomalainen 2019-05-09 18:44:36 +03:00
parent 9e03598e3f
commit e634ee8863
No known key found for this signature in database
GPG Key ID: 0C207F07B2F32B67
2 changed files with 10 additions and 10 deletions

View File

@ -42,11 +42,11 @@ Host *
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2 # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
UseRoaming no UseRoaming no
# Verify SSHFP records. In case DNSSEC is used this skips the # Verify SSHFP records. If this is yes, the question is skipped when
# question on whether you trust the fingerprint or not. # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
# All my hosts run DNSSEC validating Unbound on localhost and use it # However with "ask" you won't be told whether the zone is signed, so
# for all DNS queries. Yours should too. # I consider "yes" to be the least evil.
VerifyHostKeyDNS yes VerifyHostKeyDNS ask
Host aur.archlinux.org Host aur.archlinux.org
User aur User aur

View File

@ -43,8 +43,8 @@ Host *
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2 # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
UseRoaming no UseRoaming no
# Verify SSHFP records. In case DNSSEC is used this skips the # Verify SSHFP records. If this is yes, the question is skipped when
# question on whether you trust the fingerprint or not. # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
# All my hosts run DNSSEC validating Unbound on localhost and use it # However with "ask" you won't be told whether the zone is signed, so
# for all DNS queries. Yours should too. # I consider "yes" to be the least evil.
VerifyHostKeyDNS yes VerifyHostKeyDNS ask