As a measure of added security, we've published the ssh public keys for our self-hosted git server ( git-01.md.hardenedbsd.org ).
You can find the key material in the following three places:
1. hardenedbsd.org/content/harden
2. git-01.md.hardenedbsd.org/HardenedBSD/pu
3. groups.google.com/a/hardenedbsd.
Conversation
Replying to
You should add SSHFP records and enable checking it in the SSH client configuration:
VerifyHostKeyDNS ask
You can get the DNS records to add like this:
ssh-keyscan -D hardenedbsd.org
Add the records with hash type 2 (sha256) for each enabled key type.
2
4
It goes nicely with DNSSEC. I always add SSHFP records for every subdomain along with TLSA for TLS. It's unfortunate that checking it isn't enabled by default in the client. I went back and tried to figure out why and it seems people didn't like the tiny bit of added latency.