openssh, SSHFP, DNSSEC and OSX

See:

~$ grep ^VerifyHostKeyDNS .ssh/config
VerifyHostKeyDNS yes
~$ ssh -v big.sokoll.com
[…]
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YnFuxTWl/p1hVfB9GelWMQnpbNjF6FXBC+IQQWjnnng
debug1: found 8 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

Note the insecure!
The zone is DNSSSEC signed. This only hap­pens to me on OSX, with the ship­ped ssh cli­ent and also with the one from mac­ports. Works fine on linux, no inse­cu­re keys.
We need to use ldns:

~$ sudo port clean openssh ; sudo port install openssh +ldns

And voilá!

~$ ssh -v big.sokoll.com
[…]
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YnFuxTWl/p1hVfB9GelWMQnpbNjF6FXBC+IQQWjnnng
debug1: found 8 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

Dun­no about home­brew.

 

0

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

© Rainer Sokoll Frontier Theme