FS#45477 - [AUR 4] Publish SSH host authenticity key fingerprints in a DNS SSHFP record.
Attached to Project:
AUR web interface
Opened by Wyatt J. Brown (sushidude) - Friday, 26 June 2015, 13:52 GMT
Last edited by Lukas Fleischer (lfleischer) - Saturday, 17 October 2015, 13:27 GMT
Opened by Wyatt J. Brown (sushidude) - Friday, 26 June 2015, 13:52 GMT
Last edited by Lukas Fleischer (lfleischer) - Saturday, 17 October 2015, 13:27 GMT
|
Details
Since we recently added the SSH host authenticity key
fingerprints to the front page of the AUR 4, it would also
be wise to publish them in a DNS record.
As defined in RFC 4255, OpenSSH has specific support for checking key fingerprints published in SSHFP records. This adds an extra level of security because the fingerprints are available from many different sources. I would recommend setting a reasonably high TTL so the fingerprints are cached, this makes it harder for an attacker in the scenario that they gain control over the authoritative DNS server. While it is not necessary, this would be especially secure if we enable DNSSEC on the archlinux.org domain. Although, I would highly recommend that DNSSEC be set up for the archlinux.org domain for reasons listed in the complementary bug report below. These records can be generated for the AURs using the following commands: ssh-keygen -r aur4.archlinux.org ssh-keygen -r aur.archlinux.org This bug report also complements this one: https://bugs.archlinux.org/task/45476 Please read the complementary bug report in its entirety as it has a massive security impact on the AUR 4 and OpenSSH in general. |
This task depends upon
1) Ask Hetzner to add SSHFP support.
2) Run a DNS server and only delegate the aur subdomain to it.
3) Run a DNS server for the whole archlinux.org domain
4) NOP