Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openssh (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/825825
Title:
have DNS based verification occur by default
Status in “openssh” package in Ubuntu:
Confirmed
Bug description:
Hi,
openssh can lookup a host's key in the DNS (via the SSHFP record) and
use it compare hosts presented public key.
VerifyHostKeyDNS yes
I believe that is the connection is secured via DNSSEC that this
option will allow for the host's key to be automagically accepted.
However I have not verified that myself.
However I have had this personally set to 'Yes' and for initial
connection to hosts which are NOT secured via DNSSEC I am prompted to
accept the key.
If you want to be more cautious with the change then perhaps setting
'VerifyHostKeyDNS ask' would be better.
Either way, I think that making this the default option will:
- increase security for those who choose to deploy SSHFP
- increased awareness of this ability
The only downside is that a connection will make external calls to the
DNS to determine if a SSHFP record exists.
It would be great if this change could be made before 12.04 is
released.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/825825/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
