ssh_client: support SSHFP DNS records |
|
Issue descriptiononce issue 856326 (or maybe just issue 856325) is implemented, we should be able to support SSHFP records: https://en.wikipedia.org/wiki/SSHFP_record basically it's a way of securely distributing ssh fingerprints for public systems.
,
Dec 4
we def need to own the resolver stack first to avoid DNS poisoning. if the ad bit is not set (DNS Authenticated Data bit used by DNSSEC), we should show a warning like normal. if the ad bit is set, but DNS channel isn't encrypted, we should show a warning like normal. i.e. we behave as if the ad bit isn't set since we can't trust it (packets could have been MITM-ed). we probably should accept that localhost resolvers (e.g. 127.0.0.1) presenting the ad bit are OK even if we aren't encrypting as the possibility of spoof there is, practically speaking, not an issue for people. we probably should warn even louder if the SSHFP key doesn't match the key the remote server presented. |
|
►
Sign in to add a comment |
|
Comment 1 by vapier@chromium.org
, Aug 10