Package: openssh-client Version: 1:6.9p1-2+b1 Severity: normal File: /usr/share/man/man5/ssh_config.5.gz Tags: upstream patch
The ssh_config(5) manpage states: VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to “yes”, the client will implicitly trust keys that match a secure fingerprint from DNS. Insecure fingerprints will be handled as if this option was set to “ask”. It's quite misleading to speak of "secure fingerprint from DNS", which could only be considered secure with proper DNSSEC verification in place, but that doesn't happen yet (#618863). The distinction apparently being made here is between fingerprints from DNS (which are considered "secure", oh my…), and fingerprints not from DNS. I suggest the following rewording: Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to "yes", the client will implicitly trust keys for which a matching fingerprint can be obtained from DNS. When this is not the case, the connection attempt is handled as if this option was set to "ask". Long term and with reference to #618863 it would make sense to introduce a new option "insecure" to replace the current "yes", and have a new "yes" only apply implicit trust if the fingerprint matches and the DNS information could be verified. Thanks for your consideration. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-client depends on: ii adduser 3.113+nmu3 ii dpkg 1.18.3 ii libc6 2.19-22 ii libedit2 3.1-20150325-1 ii libgssapi-krb5-2 1.13.2+dfsg-4 ii libselinux1 2.3-2+b1 ii libssl1.0.2 1.0.2d-3 ii passwd 1:4.2-3 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> ii monkeysphere 0.37-3 ii ssh-askpass-gnome [ssh-askpass] 1:6.9p1-2+b1 -- debconf-show failed -- .''`. martin f. krafft <madduck@d.o> @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)