mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-11-25 12:49:26 +01:00
ssh_config: update comment for VerifyHostKeyDNS
OpenSSH is evil and gives you three not-optimal options to this: A) trust DNSSEC and don't write known_hosts B) ask whether to trust DNS, but don't bother telling me if it's signed C) don't even check SSHFP I see A) as the least evil, but I wish known_hosts was written. Alternatively B) should tell me whether there is DNSSEC or not, not only "matching keys found from DNS" or whatever it says always.
This commit is contained in:
parent
9e03598e3f
commit
e634ee8863
@ -42,11 +42,11 @@ Host *
|
||||
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
|
||||
UseRoaming no
|
||||
|
||||
# Verify SSHFP records. In case DNSSEC is used this skips the
|
||||
# question on whether you trust the fingerprint or not.
|
||||
# All my hosts run DNSSEC validating Unbound on localhost and use it
|
||||
# for all DNS queries. Yours should too.
|
||||
VerifyHostKeyDNS yes
|
||||
# Verify SSHFP records. If this is yes, the question is skipped when
|
||||
# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
|
||||
# However with "ask" you won't be told whether the zone is signed, so
|
||||
# I consider "yes" to be the least evil.
|
||||
VerifyHostKeyDNS ask
|
||||
|
||||
Host aur.archlinux.org
|
||||
User aur
|
||||
|
@ -43,8 +43,8 @@ Host *
|
||||
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
|
||||
UseRoaming no
|
||||
|
||||
# Verify SSHFP records. In case DNSSEC is used this skips the
|
||||
# question on whether you trust the fingerprint or not.
|
||||
# All my hosts run DNSSEC validating Unbound on localhost and use it
|
||||
# for all DNS queries. Yours should too.
|
||||
VerifyHostKeyDNS yes
|
||||
# Verify SSHFP records. If this is yes, the question is skipped when
|
||||
# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
|
||||
# However with "ask" you won't be told whether the zone is signed, so
|
||||
# I consider "yes" to be the least evil.
|
||||
VerifyHostKeyDNS ask
|
||||
|
Loading…
Reference in New Issue
Block a user