[tlug] SSH Host Key Fingerprint Distribution

[Curt Sampson <cjs@example.com>]

BTW, if anybody's interested, just a few months ago I finally fixed my
(more than ten year old!) known_hosts distribution problem.

I now put SSHFP records into cynic.net, sign the zone (DNSSEC), and
run authenticating name servers on the hosts out from which I ssh. The
truly wonderful thing about this is that I can change a CNAME (e.g.,
repo.cynic.net) to point from one host to a different one and things
continue to work transparently.

Quick hints for those who want to try this at home:

    1. Watch out for UDP responses getting too big and being chopped up
    by your NAT box or firewall. This may cause you to think that you're
    not getting back properly signed responses when you are.

    2. Use 'StrictHostKeyChecking yes'.

    3. Make sure you have 'options edns0' in the resolv.conf of any
    machines relying on an authenticating name server.

    4. Make sure that you have a fixed version of OpenSSH. Apparently
    the bug is fixed in 4.6 or later; the important patch is here:

	https://bugzilla.mindrot.org/show_bug.cgi?id=1299

cjs
--
Curt Sampson       <cjs@example.com>        +81 90 7737 2974
Mobile sites and software consulting: http://www.starling-software.com