chatmail icon indicating copy to clipboard operation
chatmail copied to clipboard

Published 20 hours ago verified publisher icon deltachat

Generate SSHFP DNS records

Open link2xt opened this issue 1 year ago • 3 comments

Running ssh-keygen -r nine.testrun.org. on the server generates this:

root@nine:~# ssh-keygen -r nine.testrun.org.
nine.testrun.org. IN SSHFP 1 1 dba387c91a3e322b0e6913a148b312e8118a8e3f
nine.testrun.org. IN SSHFP 1 2 5128ef50b2e4fd86a79fa685e2aa0fa7ba1255cdb35ed18ed299a8ece4c2fb57
nine.testrun.org. IN SSHFP 3 1 376642ffe3e546ad6bf3eb9a261ecace439e1c37
nine.testrun.org. IN SSHFP 3 2 ebd632f02d45a7bce6ca8b40e666e7e9abfcf44d04fda5b2fc5b2957f9bfa44e
nine.testrun.org. IN SSHFP 4 1 77b36179c8d024e2a59885fb74bd786990d0142e
nine.testrun.org. IN SSHFP 4 2 014bfe14ffa38da8857b6bfa59f28b73d52756a553dc66c1b4e172d09e70abf1

This is only useful if DNSSEC is supported and the client uses VerifyHostKeyDNS, but does not hurt to add on all chatmail servers in any case.

link2xt avatar Jan 10 '24 00:01 link2xt

Works

ghost avatar Jan 12 '24 08:01 ghost

please be more verbose why you want to have this. We are not using DNSSEC on nine, are we? Is any chatmail service using DNSSEC currently? Is SSHFP a crucial bit missing? Could SSSHFP be useful without DNSSEC as someone who hacks a chatmail server can not neccessarily also change DNS?

hpk42 avatar Apr 03 '24 09:04 hpk42

Yes, I use it allways, even with "Koffer". It is suggested as a security add on to avoid hike the ssh login. The public key on the server can be attacked. With comparing the fingerprint, this fault is found faster and - may be - automaticly.

But: It means, to comply only use ssh key with cmddeploy. And on the system.

The key, which is used by running cmddeploy first time could be recorded in DNS.

holger krekel @.***> schrieb am Mi., 3. Apr. 2024, 11:57:

please be more verbose why you want to have this. We are not using DNSSEC on nine, are we? Is any chatmail service using DNSSEC currently? Is SSHFP a crucial bit missing? Could SSSHFP be useful without DNSSEC as someone who hacks a chatmail server can not neccessarily also change DNS?

— Reply to this email directly, view it on GitHub https://github.com/deltachat/chatmail/issues/171#issuecomment-2034119081, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK35VR7T3S6LBYX3Q6ENFVTY3PHCLAVCNFSM6AAAAABBT6NGH2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZUGEYTSMBYGE . You are receiving this because you commented.Message ID: @.***>

ghost avatar Apr 04 '24 06:04 ghost

This is not really related to chatmail and more to SSH configuration, so I on stable servers this can be done once if needed. Let's close this for now unless someone is interested enough in making it into a PR.

link2xt avatar Jun 21 '24 15:06 link2xt

Agreed!

link2xt @.***> schrieb am Fr., 21. Juni 2024, 17:04:

This is not really related to chatmail and more to SSH configuration, so I on stable servers this can be done once if needed. Let's close this for now unless someone is interested enough in making it into a PR.

— Reply to this email directly, view it on GitHub https://github.com/deltachat/chatmail/issues/171#issuecomment-2182927113, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK35VR7O2IRH7NAGXQNU4STZIQ6IZAVCNFSM6AAAAABBT6NGH2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBSHEZDOMJRGM . You are receiving this because you commented.Message ID: @.***>

ghost avatar Jun 22 '24 04:06 ghost