Show threadAnnual Computer Security Applications Conference2d ago
In the third slot was Hennig et al.'s "Fix It - If you Can! Towards Understanding the Impact of Tool Support and Domain Owners' Reactions to SSHFP Misconfigurations" on how notifications and tool support shape SSHFP remediation. (https://www.acsac.org/2025/program/final/s97.html) 4/6
#SSHFP #DNSSEC
-=Kernel-Error=-Mar 29, 2024

DNSSEC und SSHFP unter Linux Mint und Ubuntu zum Laufen bringen

SSH sollte Hostkeys via DNSSEC-gesicherten SSHFP-Records verifizieren. Fehler: systemd-resolved filterte das AD-Flag raus. Loesung: systemd-resolved weg, NetworkManager mit trust-ad Option. Jetzt funktioniert DNSSEC korrekt.

https://www.kernel-error.de/2024/03/29/linux-mint-ubuntu-und-dnssec/

Show threadPatrick CernkoFeb 11
@samuel #SSHFP #DNS Record and #DNSSEC are also missing. And that with #SSH being the most important service protocol, besides HTTPS.
Show threadPatrick CernkoFeb 1
@ruawhitepaw #Github is also missing #SSHFP DNS records and #DNSSEC, which would help protect there users accessing it via git over SSH!
Sandro  Jan 13

Really proud of this code generating SSHFP records for @c3d2
https://gitea.c3d2.de/c3d2/dns/src/commit/e0b8638f13281cee7080be0f86650fa250f73b43/flake.nix#L203-L241

#dns #knot #ci #devops #ssh #sshfp

dns/flake.nix at e0b8638f13281cee7080be0f86650fa250f73b43

dns - Old history at https://gitea.c3d2.de/c3d2-admins/c3d2-dns

Gitea: with a cup of Mate
Show threadAnneDec 12

Special thanks to @gehaxelt, who is the co-author of the paper that is based on his previous work on identifying #SSHFP misconfigurations, and Peter Mayer. Also many thanks to the organizers and the great audience at #ACSAC for an overall great conference!

πŸ”— full paper can be read here: https://publikationen.bibliothek.kit.edu/1000186330

@kitcybersec @SECUSO_Research @kastel @KIT_Karlsruhe

SECUSO ResearchOct 15, 2025
The #paper β€œFix It - If you Can! Towards Understanding the Impact of Tool Support and Domain Owners’ Reactions to SSHFP Misconfigurations" by Anne Hennig, Sebastian Neef, and Peter Mayer has been accepted for presentation at the @ACSAC_Conf! The paper sent notifications to domain owners with misconfigured #SSHFP records, investigating the effect of tool support. While the sender of the #notification itself has no effect, the results suggest that tool support might increase remediation when the sender of the notification is different than the institution providing the tool. By analyzing domain owners’ responses to the authors' notification, multiple reasons for non-remediation were identified, supporting the argument that remediation rate should not be considered a success measure for a notification campaign but instead individual challenges faced by domain owners should be taken into account. ACSAC will take place December 8 to 12, 2025, in Honolulu, Hawaii, USA: https://www.acsac.org/
@Aryderwood @gehaxelt
Annual Computer Security Applications Conference (ACSAC)

The Annual Computer Security Applications Conference (ACSAC) brings together cutting-edge researchers, with a broad cross-section of security professionals drawn from academia, industry, and government, gathered to present and discuss the latest security results and topics. With peer reviewed technical papers, invited talks, panels, national interest discussions, and workshops, ACSAC continues its core mission of investigating practical solutions for computer and network security technology.

HabrSep 11, 2025

Как FreeIPA Π·Π°Ρ‰ΠΈΡ‰Π°Π΅Ρ‚ SSH ΠΎΡ‚ MITM-Π°Ρ‚Π°ΠΊ

ΠŸΡ€ΠΈΠ²Π΅Ρ‚, Π₯Π°Π±Ρ€! БСгодня ΠΌΡ‹ ΠΏΡ€Π΅Π΄Π»Π°Π³Π°Π΅ΠΌ ΠΏΠΎΠ³Ρ€ΡƒΠ·ΠΈΡ‚ΡŒΡΡ Π²ΠΎ Π²Π½ΡƒΡ‚Ρ€Π΅Π½Π½ΡŽΡŽ ΠΊΡƒΡ…Π½ΡŽ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° SSH, заострив особоС Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅ Π½Π° Π΅Π³ΠΎ ΠΈΠ½Ρ‚Π΅Π³Ρ€Π°Ρ†ΠΈΠΈ с Π΄ΠΎΠΌΠ΅Π½ΠΎΠΌ FreeIPA. Настройка Ρ‚Π°ΠΊΠΎΠ³ΠΎ взаимодСйствия Π±ΡƒΠ΄Π΅Ρ‚ интСрСсна администраторам, ΠΏΡ€ΠΈΠ²Ρ‹ΠΊΡˆΠΈΠΌ ΠΊ Ρ†Π΅Π½Ρ‚Ρ€Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π½ΠΎΠΌΡƒ ΡƒΠΏΡ€Π°Π²Π»Π΅Π½ΠΈΡŽ Windows-сСрвСрами ΠΈ Ρ€Π°Π±ΠΎΡ‡ΠΈΠΌΠΈ мСстами, входящими Π² состав MS AD. Π Π°Π·Π²ΠΈΡ‚ΠΈΠ΅ нашСй ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚ΠΎΠ²ΠΎΠΉ Π»ΠΈΠ½Π΅ΠΉΠΊΠΈ Π²ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π³Π»ΡƒΠ±ΠΎΠΊΠΈΠΉ Π°Π½Π°Π»ΠΈΠ· тСхнологичСского стСка, ΠΈ ΠΌΡ‹ Ρ…ΠΎΡ‚ΠΈΠΌ ΠΏΠΎΠ΄Π΅Π»ΠΈΡ‚ΡŒΡΡ с читатСлями Ρ€Π΅Π·ΡƒΠ»ΡŒΡ‚Π°Ρ‚Π°ΠΌΠΈ своих исслСдований. Как извСстно, врСмя β€” дСньги, поэтому ΠΈΠ½ΠΆΠ΅Π½Π΅Ρ€Ρ‹ ΡΡ‚Π°Ρ€Π°ΡŽΡ‚ΡΡ Π½Π°ΡΡ‚Ρ€Π°ΠΈΠ²Π°Ρ‚ΡŒ ΡƒΠ΄Π°Π»Π΅Π½Π½Ρ‹ΠΉ доступ Π²Π΅Π·Π΄Π΅, Π³Π΄Π΅ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ ΠΌΠΎΠΆΠ½ΠΎ, Ρ‡Ρ‚ΠΎΠ±Ρ‹ Π½ΠΈΡ‡Π΅Π³ΠΎ Π½Π΅ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡ‚Ρ€ΠΈΡ€ΠΎΠ²Π°Ρ‚ΡŒ Π½ΠΎΠ³Π°ΠΌΠΈ.

https://habr.com/ru/companies/astralinux/articles/946002/

#ssh #freeipa #ald_pro #mitm #ΠΊΠ»ΡŽΡ‡ΠΈ #dh #sshfp #kerberos #sssd #Π΄ΠΈΡ„Ρ„ΠΈΡ…Π΅Π»Π»ΠΌΠ°Π½

Как FreeIPA Π·Π°Ρ‰ΠΈΡ‰Π°Π΅Ρ‚ SSH ΠΎΡ‚ MITM-Π°Ρ‚Π°ΠΊ

ΠŸΡ€ΠΈΠ²Π΅Ρ‚, Π₯Π°Π±Ρ€! БСгодня ΠΌΡ‹ ΠΏΡ€Π΅Π΄Π»Π°Π³Π°Π΅ΠΌ ΠΏΠΎΠ³Ρ€ΡƒΠ·ΠΈΡ‚ΡŒΡΡ Π²ΠΎ Π²Π½ΡƒΡ‚Ρ€Π΅Π½Π½ΡŽΡŽ ΠΊΡƒΡ…Π½ΡŽ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π° SSH, заострив особоС Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅ Π½Π° Π΅Π³ΠΎ ΠΈΠ½Ρ‚Π΅Π³Ρ€Π°Ρ†ΠΈΠΈ с Π΄ΠΎΠΌΠ΅Π½ΠΎΠΌ FreeIPA. Настройка Ρ‚Π°ΠΊΠΎΠ³ΠΎ взаимодСйствия Π±ΡƒΠ΄Π΅Ρ‚ интСрСсна...

Π₯Π°Π±Ρ€
Show threadPetr MenΕ‘Γ­k Nov 17, 2024
@letoams Similarly may publish #SSHFP record of #gitlab users. Both gitlab.isc.org and gitlab.nic.cz are on DNSSEC signed domains. Gitlab knows SSH keys of their users, very often used. They could export them for outer verification, just some way of mapping SSH key to username is required. We have that concepts for OPENPGPKEY and SMIMEA records. Would a new draft for SSHFP make sense too? Should it include public key directly in DNSKEY/KEY record?
Show threadPetr MenΕ‘Γ­k Nov 16, 2024
@soatok @letoams For example mastodns.net is a Fedi server on #DNSSEC signed zone, algorithms 13 or 8 used only. I see no weakness if they would allow publishing of keys, RFC 7929 style. But with #SSHFP RR digests, to prove my identity of git ssh signed software, just like you have proposed. Just choose well your TLD and that's it. Append only log is important to prove no other CA made cert for my name. But we have just one parent domain key in #DNS. Give it a chance, it is not so bad. πŸ˜€