North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Best practices inquiry: tracking SSH host keys

  • From: Jeroen Massar
  • Date: Wed Jun 28 21:22:37 2006
  • Openpgp: id=333E7C23;url=

On 6/28/06, Phillip Vandry <[email protected]> wrote:

> SSH implements neither a CA hierarchy (like X.509 certificates) nor
> a web of trust (like PGP) so you are left checking the validity of
> host keys yourself. Still, it's not so bad if you only connect to a
> small handful of well known servers. You will either have verified
> them all soon enough and not be bothered with it anymore, or system
> administrators will maintain a global known_hosts file that lists
> all the correct ones.

The answer to your question: RFC4255
"Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"

You will only need to stuff the FP's into SSHFP DNS RR's and turn on
verification for these records on the clients. Done.

In combo with DNSSEC this is a (afaik ;) 100% secure way to at least get
the finger prints right.


Attachment: signature.asc
Description: OpenPGP digital signature