"VerifyHostKeyDNS yes" does not work as expected
Victor Sudakov
vas at mpeks.tomsk.su
Fri May 16 16:53:30 UTC 2014
Matthew Seaman wrote:
> >
> > I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I
> > connect to a host, I get:
> >
> > $ ssh admin.sibptus.ru
> > The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be established.
> > ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3e.
> > Matching host key fingerprint found in DNS.
> > Are you sure you want to continue connecting (yes/no)?
> >
> > Why does ssh not implicitly trust the key published in DNS? Why does
> > it ask me?
> >
> > The "sibptus.ru" zone is DNSSEC enabled. The local resolver is
> > configured with "dnssec-validation auto". What else am I missing?
> >
> > Thanks for any ideas.
> >
> > Here is some debug: http://pastebin.com/q12R7RPH
> >
>
> Your debug output suggests that ssh doesn't trust the SSHFP results from
> DNS -- which would seem to be a problem with DNSSEC on your domain.
>
> Given dnsviz.net confirms DNSSEC on your domain is fine,
So does http://dnssec-debugger.verisignlabs.com/sibptus.ru
> I guess you need to look into what your recursive resolver is doing
> with DNSSEC records.
Well, the output of "dig admin.sibptus.ru" has the ad flag, does it
not mean that the DNS reply is authenticated ?
I have also information from my friends running Linux that they are
able to connect to admin.sibptus.ru without ssh asking to save the key
in ~/.ssh/known_hosts, so the server side is probably working.
Is there anything the matter with the FreeBSD ssh client ? I have
tested on FreeBSD 9.2-STABLE.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-questions
mailing list