[olug] Making SSH key distribution and verification easier
Kevin
sharpestmarble at gmail.com
Fri Feb 10 19:10:03 UTC 2012
On Fri, Feb 10, 2012 at 07:49, Dan Linder <dan at linder.org> wrote:
>> For the fun of it, i put some SSHFP keys into a DNS server because the
>> documentation in man ssh was just too easy. (However, since we are
>> not doing DNSSEC yet, it does not do much.)
>
> What happens if things are turned on their head and a "bad guy" can
> spoof an update to your DNS and adds his own SSH key into your DNS
> entries? If you've started going down the SSH-key-in-DNS route and
> setup your ssh clients to authenticate based on this information, it's
> possible to have your communication exposed by someone who injects
> their own SSH key and performs a MITM attack, isn't it?
Which is why he says that it does not do much yet, and said "For the fun of it".
More information about the OLUG
mailing list