touch-packages team mailing list archive

Thread
Date

[Bug 825825] Re: have DNS based verification occur by default

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <825825@xxxxxxxxxxxxxxxxxx>
Date: Thu, 30 Oct 2014 17:28:14 -0000
Reply-to: Bug 825825 <825825@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openssh (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/825825

Title:
  have DNS based verification occur by default

Status in “openssh” package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  openssh can lookup a host's key in the DNS (via the SSHFP record) and
  use it compare hosts presented public key.

  
    VerifyHostKeyDNS yes

  I believe that is the connection is secured via DNSSEC that this
  option will allow for the host's key to be automagically accepted.
  However I have not verified that myself.

  However I have had this personally set to 'Yes' and for initial
  connection to hosts which are NOT secured via DNSSEC I am prompted to
  accept the key.

  If you want to be more cautious with the change then perhaps setting
  'VerifyHostKeyDNS ask' would be better.

  Either way, I think that making this the default option will:
   - increase security for those who choose to deploy SSHFP
   - increased awareness of this ability

  The only downside is that a connection will make external calls to the
  DNS to determine if a SSHFP record exists.

  It would be great if this change could be made before 12.04 is
  released.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/825825/+subscriptions