Make openssh even stricter with VerifyHostKeyDNS / SSHFP
From
Fredrik Jonson@21:1/5 to
All on Thu Nov 17 11:45:08 2022
Hi,
After many years of bad habits with accepting hostkey changes with TOFU,
I have finally started adding SSHFP RR records to the dns for some hosts.
Unfortunately old habits die hard, and now I would like for Openssh to
actually not apply TOFU, and instead outright terminate the connection
attempt if the host key doesn't match the SSHFP record.
Is there any possibility to configure openssh to do just that? I have tried
StrictHostKeyChecking yes
VerifyHostKeyDNS yes
Which appears to make ssh fail TOFU completely, and wont allow me to connect
if I haven't retrieved the host key out of band before connecting.
On the other hand when i change to
StrictHostKeyChecking accept-new
ssh will only warn, but still allow me to continue even when the SSHFP record does not match.
I'd like to both have the cake and eat it, please. :)
That is, accept-new behaviour, i.e TOFU for unknown host keys, but to stop the connection attempt entirely when the SSHFP record doesn't match the host key.
Ideas, anyone?
--
Fredrik Jonson
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)