Conversation

As a measure of added security, we've published the ssh public keys for our self-hosted git server ( git-01.md.hardenedbsd.org ). You can find the key material in the following three places: 1. hardenedbsd.org/content/harden 2. git-01.md.hardenedbsd.org/HardenedBSD/pu 3. groups.google.com/a/hardenedbsd.

Daniel Micay

@DanielMicay

Replying to

@HardenedBSD

You should add SSHFP records and enable checking it in the SSH client configuration: VerifyHostKeyDNS ask You can get the DNS records to add like this: ssh-keyscan -D hardenedbsd.org Add the records with hash type 2 (sha256) for each enabled key type.

10:06 PM · Jan 15, 2021Twitter Web App

Replying to

and

It goes nicely with DNSSEC. I always add SSHFP records for every subdomain along with TLSA for TLS. It's unfortunate that checking it isn't enabled by default in the client. I went back and tried to figure out why and it seems people didn't like the tiny bit of added latency.

Replying to

We'll do that soon. Thanks for the input!

Replying to

Can look at `drill grapheneos.org SSHFP` for an example. If you connect with `ssh -o VerifyHostKeyDNS=Ask grapheneos.org`, you'll see it says "Matching host key fingerprint found in DNS." and it has a loud warning if there's a mismatch. Nice way to use DNSSEC.

grapheneos.org

GrapheneOS: the private and secure mobile OS

GrapheneOS is a security and privacy focused mobile OS with Android app compatibility.

Show replies