Some more editing to make this read better.
This commit is contained in:
Florian Obser
parent
c41a8a11a2
commit
9e53448453
|
|
@ -30,7 +30,7 @@ host-keys of new hosts and new hosts needing to verify host-keys of
|
|||
existing infrastructure. One way to deal with this is to run a [[https://www.lorier.net/docs/ssh-ca.html][CA,
|
||||
sign host-keys with it and roll certificates out]].
|
||||
|
||||
I on the other hand prefer to use DNS[fn:: I have a laptop sticker and
|
||||
I on the other hand, prefer to use DNS[fn:: I have a laptop sticker and
|
||||
travel mug with "We reject kings, presidents and voting. We believe in
|
||||
rough consensus and running code." crossed out with "Fuck that! Just
|
||||
put it in DNS." I also have a RUN DNS sticker. I am biased]. [[https://www.rfc-editor.org/rfc/rfc4255][RFC4255]] provides
|
||||
|
|
@ -56,10 +56,9 @@ Host *
|
|||
VerifyHostKeyDNS yes
|
||||
#+end_example
|
||||
into your =.ssh/config= it will not work. The magic is /secure
|
||||
fingerprint/. What the man page means is that a DNS answer for SSHFP
|
||||
needs to have the /Authentic Data (AD)/ flag set. The flag gets set
|
||||
when a validating name-server is asked for the SSHFP record, it finds
|
||||
it and it can validate the answer using DNSSEC.
|
||||
fingerprint/. What the documentation means is that a DNS answer for
|
||||
SSHFP needs to have the /Authentic Data (AD)/ flag set. The flag gets
|
||||
set by a validating name-server if it can DNSSEC validate the SSHFP.
|
||||
|
||||
But then the libc stub resolver[fn:: The thingy[fn:: Thingy is a
|
||||
technical term, don't worry about it.] that ssh uses to talk
|
||||
|
|
@ -79,15 +78,20 @@ have a trustworthy validating name-server is to run one on localhost.
|
|||
trusted. This option is automatically enabled if resolv.conf only
|
||||
lists name servers on localhost.
|
||||
|
||||
The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add
|
||||
=nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all
|
||||
other dynamically learned name servers. Just make sure that you are
|
||||
not using any static configured name servers[fn:: I use ~! route
|
||||
nameserver $if 149.112.112.9 2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my
|
||||
main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add some static name servers in case unwind(8)
|
||||
crashes[fn:: Not sure why it would do that though. Sounds
|
||||
unpleasant.].] because you really want to have only =nameserver
|
||||
127.0.0.1= in there.
|
||||
The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]:
|
||||
#+begin_src shell
|
||||
doas rcctl enable unwind
|
||||
doas rcctl start unwind
|
||||
#+end_src
|
||||
|
||||
[[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add =nameserver 127.0.0.1= to
|
||||
=/etc/resolv.conf= and comment out all other dynamically learned name
|
||||
servers. Just make sure that you are not using any static configured
|
||||
name servers[fn:: I use ~! route nameserver $if 149.112.112.9
|
||||
2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add
|
||||
some static name servers in case unwind(8) crashes[fn:: Not sure why
|
||||
it would do that though. Sounds unpleasant.].] because you really want
|
||||
to have only =nameserver 127.0.0.1= in there.
|
||||
* Putting it all together
|
||||
When I install a new host I have out of band access in one way or
|
||||
another. It might be a serial console, a fake html5 console or some
|
||||
|
|
|
|||
Loading…
Reference in New Issue