ssh_config: update comment for VerifyHostKeyDNS

OpenSSH is evil and gives you three not-optimal options to this:

A) trust DNSSEC and don't write known_hosts
B) ask whether to trust DNS, but don't bother telling me if it's signed
C) don't even check SSHFP

I see A) as the least evil, but I wish known_hosts was written.
Alternatively B) should tell me whether there is DNSSEC or not, not
only "matching keys found from DNS" or whatever it says always.
This commit is contained in:
Aminda Suomalainen 2019-05-09 18:44:36 +03:00
parent 9e03598e3f
commit e634ee8863
No known key found for this signature in database
GPG Key ID: 0C207F07B2F32B67
2 changed files with 10 additions and 10 deletions

View File

@ -42,11 +42,11 @@ Host *
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
UseRoaming no
# Verify SSHFP records. In case DNSSEC is used this skips the
# question on whether you trust the fingerprint or not.
# All my hosts run DNSSEC validating Unbound on localhost and use it
# for all DNS queries. Yours should too.
VerifyHostKeyDNS yes
# Verify SSHFP records. If this is yes, the question is skipped when
# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
# However with "ask" you won't be told whether the zone is signed, so
# I consider "yes" to be the least evil.
VerifyHostKeyDNS ask
Host aur.archlinux.org
User aur

View File

@ -43,8 +43,8 @@ Host *
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
UseRoaming no
# Verify SSHFP records. In case DNSSEC is used this skips the
# question on whether you trust the fingerprint or not.
# All my hosts run DNSSEC validating Unbound on localhost and use it
# for all DNS queries. Yours should too.
VerifyHostKeyDNS yes
# Verify SSHFP records. If this is yes, the question is skipped when
# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
# However with "ask" you won't be told whether the zone is signed, so
# I consider "yes" to be the least evil.
VerifyHostKeyDNS ask