ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard

Published 20 hours ago verified publisher icon arthepsy

Feature request: detect SSHFP DNS records and compare with server fingerprint

Open pkubaj opened this issue 7 years ago • 3 comments
trafficstars

SSHFP DNS records are a useful feature which enables one to save SSH fingerprints in DNS, so that you don't have to check them manually. It would be useful if ssh-audit could check for existence of such records, compare them with actual fingerprints if they match and put recommendations to disable DSA and ECDSA records (if they exist) and enable RSA and ED25519 (if they don't exist).

It should also recommend to disable SHA1 type records, if enabled and enable SHA256, if disabled.

pkubaj avatar Nov 25 '17 17:11 pkubaj

May also want to verify DNSSEC before consulting SSHFP

egberts avatar May 20 '22 08:05 egberts

That wouldn't work on every network with every DNS server because some are for some reason dropping DNSSEC records.

SuperSandro2000 avatar May 20 '22 09:05 SuperSandro2000

Then one should never trust SSHFP record data if not secured behind DNSSEC.

https://serverfault.com/questions/1063853/sshfp-not-working/1099936#1099936

egberts avatar May 20 '22 14:05 egberts