Re: X.509 and ssh

"DT" == Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> writes:

DT> On 2006-02-12, Richard E. Silverman <res@xxxxxxxx> wrote:
>>>>>>> "DT" == Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> writes:
DT> There's another option not mentioned, and it is a (proposed)
DT> standard: SSH fingerprints via DNS, RFC4255. It needs a secure
DT> DNS to be useful, and only helps with known hosts, though.
>> Good point; thanks. I'm not sure what you mean by "only helps
>> with known hosts," though; could you clarify?

DT> You can't use it to centralise, eg, authorized_keys.

DT> To achieve the same effect as, eg, kerberos single sign on you
DT> would still need to distribute authorized_keys files to the
DT> relevant servers.

Oh, you mean it doesn't help with user authentication. Yes; I was only
talking about server auth.

Richard Silverman


Relevant Pages

  • Re: Confuse about Secure dynamic update
    ... I confuse about secure dyamic update because only authorize ... > clients could register DNS records. ...
  • what is a secure dynamic update (dns)
    ... secure dynamic updates and that the owner of the dns record is the computer ... Is that the whole story or is there something else to a 'secure dynamic' ... Why are active directory integrated zones required? ...
  • Re: XP can not register using secure updates?
    ... They have set-up an authoritative sub-domain for us called which point to our four DNS servers. ... What boggles my mind is that even though the GPO specifies Secure updates only, it only updates DNS if the DNS server accepts secure and insecure updates. ... The question that I have now is this: I've set up the DNS servers to accept only Secure updates to the the DNS. ...
  • Re: [Full-disclosure] Re: router naming
    ... :>How about using FIPS-55. ... I'd say keep the city names, and secure the router. ... (There are dozens of other options: publish an obscure name in public DNS, ... And if you're going to publish LOC records, why not publish HINFO records as ...
  • Re: Credentials for DDNS registration
    ... who registers the NICs in DNS) to register the adapter IPs in our AD ... Secure DNS updates are authenticated by Kerberos. ... Instead of the website you're using, I suggest to use OEx (Outlook Express ... This is a direct link to the Microsoft Public ...