OpenSSH

From DNSSEC-Tools
(Redirected from Ssh)
Jump to: navigation, search
DNSSEC-Tools Component
OpenSSH
This describes OpenSSH, which in the End User Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: OpenSSH
Tool Type: End User Tools

This patch to OpenSSH contains support for performing local DNSSEC validation for all DNS lookups. This includes initial host to IP address and SSHFP key fingerprint lookups.

Contents

Using the DNSSEC Enabled OpenSSH Implementation

Using the OpenSSH implementation either requires downloading pre-build binaries or downloading, patching and compiling the openssh source code. It has been tested with OpenSSH versions 4.5p1, and 4.7p1. The patched code performs DNSSEC validation for all DNS lookups, including the initial host to IP address and the SSHFP key fingerprint queries. (SSHFP records for a host can be generated on the host using ssh-keygen -r 'hostname' and then insert the output into you domain file). The DNSSEC validation in Openssh can be configured via 'VerifyHostKeyDNS' three ways off,on,ask (default: ask):

VerifyHostKeyDNS Configuration

When set to 'no'

On DNS queries that result in untrusted DNSSEC validation, the connection succeeds with a warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNTRUSTED DNS RESOLOUTION FOR HOST IP ADRRESS! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The authenticity of DNS data for the host 'badhost.unknown.com' can't be established.
Last login: Tue Mar 18 16:38:45 2008 from goodhost.unknown.com
badhost>

When set to 'yes'

On DNS queries that result in untrusted DNSSEC validation, the connection fails with a warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNTRUSTED DNS RESOLOUTION FOR HOST IP ADRRESS! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The authenticity of DNS data for the host 'badhost.unknown.com' can't be established.
DNS resolution is not trusted (VAL_BOGUS_UNPROVABLE) and you have requested strict checking
goodhost>

When set to 'ask'

On DNS queries that result in untrusted DNSSEC validation, the user is asked whether to fail or continue:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNTRUSTED DNS RESOLOUTION FOR HOST IP ADRRESS! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The authenticity of DNS data for the host 'badhost.unknown.com' can't be established.
 IP address 10.0.0.1 port 22
 IP address 2001::1 port 22
Are you sure you want to attempt to connect (yes/no)?          

More information

Personal tools