Show threadAnnual Computer Security Applications Conference4d ago
In the third slot was Hennig et al.'s "Fix It - If you Can! Towards Understanding the Impact of Tool Support and Domain Owners' Reactions to SSHFP Misconfigurations" on how notifications and tool support shape SSHFP remediation. (https://www.acsac.org/2025/program/final/s97.html) 4/6
#SSHFP #DNSSEC
-=Kernel-Error=-Mar 29, 2024

DNSSEC und SSHFP unter Linux Mint und Ubuntu zum Laufen bringen

SSH sollte Hostkeys via DNSSEC-gesicherten SSHFP-Records verifizieren. Fehler: systemd-resolved filterte das AD-Flag raus. Loesung: systemd-resolved weg, NetworkManager mit trust-ad Option. Jetzt funktioniert DNSSEC korrekt.

https://www.kernel-error.de/2024/03/29/linux-mint-ubuntu-und-dnssec/

Show threadPatrick CernkoFeb 11
@samuel #SSHFP #DNS Record and #DNSSEC are also missing. And that with #SSH being the most important service protocol, besides HTTPS.
Show threadPatrick CernkoFeb 1
@ruawhitepaw #Github is also missing #SSHFP DNS records and #DNSSEC, which would help protect there users accessing it via git over SSH!
Sandro  Jan 13

Really proud of this code generating SSHFP records for @c3d2
https://gitea.c3d2.de/c3d2/dns/src/commit/e0b8638f13281cee7080be0f86650fa250f73b43/flake.nix#L203-L241

#dns #knot #ci #devops #ssh #sshfp

dns/flake.nix at e0b8638f13281cee7080be0f86650fa250f73b43

dns - Old history at https://gitea.c3d2.de/c3d2-admins/c3d2-dns

Gitea: with a cup of Mate
Show threadAnneDec 12

Special thanks to @gehaxelt, who is the co-author of the paper that is based on his previous work on identifying #SSHFP misconfigurations, and Peter Mayer. Also many thanks to the organizers and the great audience at #ACSAC for an overall great conference!

🔗 full paper can be read here: https://publikationen.bibliothek.kit.edu/1000186330

@kitcybersec @SECUSO_Research @kastel @KIT_Karlsruhe

SECUSO ResearchOct 15, 2025
The #paper “Fix It - If you Can! Towards Understanding the Impact of Tool Support and Domain Owners’ Reactions to SSHFP Misconfigurations" by Anne Hennig, Sebastian Neef, and Peter Mayer has been accepted for presentation at the @ACSAC_Conf! The paper sent notifications to domain owners with misconfigured #SSHFP records, investigating the effect of tool support. While the sender of the #notification itself has no effect, the results suggest that tool support might increase remediation when the sender of the notification is different than the institution providing the tool. By analyzing domain owners’ responses to the authors' notification, multiple reasons for non-remediation were identified, supporting the argument that remediation rate should not be considered a success measure for a notification campaign but instead individual challenges faced by domain owners should be taken into account. ACSAC will take place December 8 to 12, 2025, in Honolulu, Hawaii, USA: https://www.acsac.org/
@Aryderwood @gehaxelt
Annual Computer Security Applications Conference (ACSAC)

The Annual Computer Security Applications Conference (ACSAC) brings together cutting-edge researchers, with a broad cross-section of security professionals drawn from academia, industry, and government, gathered to present and discuss the latest security results and topics. With peer reviewed technical papers, invited talks, panels, national interest discussions, and workshops, ACSAC continues its core mission of investigating practical solutions for computer and network security technology.

HabrSep 11, 2025

Как FreeIPA защищает SSH от MITM-атак

Привет, Хабр! Сегодня мы предлагаем погрузиться во внутреннюю кухню протокола SSH, заострив особое внимание на его интеграции с доменом FreeIPA. Настройка такого взаимодействия будет интересна администраторам, привыкшим к централизованному управлению Windows-серверами и рабочими местами, входящими в состав MS AD. Развитие нашей продуктовой линейки включает глубокий анализ технологического стека, и мы хотим поделиться с читателями результатами своих исследований. Как известно, время — деньги, поэтому инженеры стараются настраивать удаленный доступ везде, где только можно, чтобы ничего не администрировать ногами.

https://habr.com/ru/companies/astralinux/articles/946002/

#ssh #freeipa #ald_pro #mitm #ключи #dh #sshfp #kerberos #sssd #диффихеллман

Как FreeIPA защищает SSH от MITM-атак

Привет, Хабр! Сегодня мы предлагаем погрузиться во внутреннюю кухню протокола SSH, заострив особое внимание на его интеграции с доменом FreeIPA. Настройка такого взаимодействия будет интересна...

Хабр
Show threadPetr Menšík Nov 17, 2024
@letoams Similarly may publish #SSHFP record of #gitlab users. Both gitlab.isc.org and gitlab.nic.cz are on DNSSEC signed domains. Gitlab knows SSH keys of their users, very often used. They could export them for outer verification, just some way of mapping SSH key to username is required. We have that concepts for OPENPGPKEY and SMIMEA records. Would a new draft for SSHFP make sense too? Should it include public key directly in DNSKEY/KEY record?
Show threadPetr Menšík Nov 16, 2024
@soatok @letoams For example mastodns.net is a Fedi server on #DNSSEC signed zone, algorithms 13 or 8 used only. I see no weakness if they would allow publishing of keys, RFC 7929 style. But with #SSHFP RR digests, to prove my identity of git ssh signed software, just like you have proposed. Just choose well your TLD and that's it. Append only log is important to prove no other CA made cert for my name. But we have just one parent domain key in #DNS. Give it a chance, it is not so bad. 😀