Daniel Micay on Twitter: "@HardenedBSD Can look at `drill https://t.co/YlilRZQydZ SSHFP` for an example. If you connect with `ssh -o VerifyHostKeyDNS=Ask https://t.co/YlilRZQydZ`, you'll see it says "Matching host key fingerprint found in DNS." and it has a loud warning if there's a mismatch. Nice way to use DNSSEC." / Twitter

As a measure of added security, we've published the ssh public keys for our self-hosted git server ( git-01.md.hardenedbsd.org ). You can find the key material in the following three places: 1. hardenedbsd.org/content/harden 2. git-01.md.hardenedbsd.org/HardenedBSD/pu 3. groups.google.com/a/hardenedbsd.

1

3

8

Replying to

You should add SSHFP records and enable checking it in the SSH client configuration: VerifyHostKeyDNS ask You can get the DNS records to add like this: ssh-keyscan -D hardenedbsd.org Add the records with hash type 2 (sha256) for each enabled key type.

2

4

Replying to

We'll do that soon. Thanks for the input!

1

Daniel Micay

@DanielMicay

Replying to

@HardenedBSD

Can look at `drill grapheneos.org SSHFP` for an example. If you connect with `ssh -o VerifyHostKeyDNS=Ask grapheneos.org`, you'll see it says "Matching host key fingerprint found in DNS." and it has a loud warning if there's a mismatch. Nice way to use DNSSEC.

grapheneos.org

GrapheneOS: the private and secure mobile OS

GrapheneOS is a security and privacy focused mobile OS with Android app compatibility.

10:11 PM · Jan 15, 2021Twitter Web App

Replying to

and

I disable everything but ed25519 for simplicity. Should add a record for each enabled key type. The default algorithm order prefers ecdsa so that's what clients will have pinned in their known_hosts. Probably best to leave it enabled if it was already being used by other people.

Conversation