florian/tlakh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some more editing to make this read better.

Browse Source
This commit is contained in:
Florian Obser 2023-01-15 08:47:01 +01:00
parent c41a8a11a2
commit 9e53448453
1 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
VerifyHostKeyDNS.org
View File

@ -30,7 +30,7 @@ host-keys of new hosts and new hosts needing to verify host-keys of
existing infrastructure. One way to deal with this is to run a [[https://www.lorier.net/docs/ssh-ca.html][CA,
sign host-keys with it and roll certificates out]].
I on the other hand prefer to use DNS[fn:: I have a laptop sticker and
I on the other hand, prefer to use DNS[fn:: I have a laptop sticker and
travel mug with "We reject kings, presidents and voting. We believe in
rough consensus and running code." crossed out with "Fuck that! Just
put it in DNS." I also have a RUN DNS sticker. I am biased]. [[https://www.rfc-editor.org/rfc/rfc4255][RFC4255]] provides
@ -56,10 +56,9 @@ Host *
VerifyHostKeyDNS yes
#+end_example
into your =.ssh/config= it will not work. The magic is /secure
fingerprint/. What the man page means is that a DNS answer for SSHFP
needs to have the /Authentic Data (AD)/ flag set. The flag gets set
when a validating name-server is asked for the SSHFP record, it finds
it and it can validate the answer using DNSSEC.
fingerprint/. What the documentation means is that a DNS answer for
SSHFP needs to have the /Authentic Data (AD)/ flag set. The flag gets
set by a validating name-server if it can DNSSEC validate the SSHFP.
But then the libc stub resolver[fn:: The thingy[fn:: Thingy is a
technical term, don't worry about it.] that ssh uses to talk
@ -79,15 +78,20 @@ have a trustworthy validating name-server is to run one on localhost.
trusted. This option is automatically enabled if resolv.conf only
lists name servers on localhost.
The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]. [[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add
=nameserver 127.0.0.1= into =/etc/resolv.conf= and comment out all
other dynamically learned name servers. Just make sure that you are
not using any static configured name servers[fn:: I use ~! route
nameserver $if 149.112.112.9 2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my
main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add some static name servers in case unwind(8)
crashes[fn:: Not sure why it would do that though. Sounds
unpleasant.].] because you really want to have only =nameserver
127.0.0.1= in there.
The easiest way is to run [[https://man.openbsd.org/unwind.8][unwind(8)]]:
#+begin_src shell
doas rcctl enable unwind
doas rcctl start unwind
#+end_src
[[https://man.openbsd.org/resolvd.8][resolvd(8)]] will then add =nameserver 127.0.0.1= to
=/etc/resolv.conf= and comment out all other dynamically learned name
servers. Just make sure that you are not using any static configured
name servers[fn:: I use ~! route nameserver $if 149.112.112.9
2620:fe::9 9.9.9.9 2620:fe::fe:9~ in my main [[http://man.openbsd.org/hostname.if.5][hostname.if(5)]] to add
some static name servers in case unwind(8) crashes[fn:: Not sure why
it would do that though. Sounds unpleasant.].] because you really want
to have only =nameserver 127.0.0.1= in there.
* Putting it all together
When I install a new host I have out of band access in one way or
another. It might be a serial console, a fake html5 console or some