Perform host fingerprint validation via SSHFP fingerprint matching and RES_TRUSTAD flag checking if supported #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jreidthompson
force-pushed
the
dev-dns-validate-cig
branch
from
dd2ed31 to
b76872c
Compare
jreidthompson
force-pushed
the
dev-dns-validate-cig
branch
3 times, most recently
from
67da1cf to
c4ab7e7
Compare
jreidthompson
force-pushed
the
dev-dns-validate-cig
branch
from
8789b0c to
b8cffbd
Compare
jreidthompson
changed the title
jreidthompson
force-pushed
the
dev-dns-validate-cig
branch
from
75c53c2 to
9670b40
Compare
If linking to libssh2 then also link to resolv Add boolean option repo-sftp-require-trust-ad default false First cut at help text for option, !!! TBD noted for changes if needed before finalizing Update autoconf and meson build instructions for resolv
Update tests
Start adding tests Rename harnessLibResolv* to harnessSftpResolv and update references
Update tests
Update helpTest.c Update testTest.c Minor refactoring
Update tests Functional for all but rh7, needs cleanup/commenting updated
Cleanup, add comments
…or RHEL7 is dropped Format added line in meson.build to match surrounding lines Remove unneeded struct, update log messages Update tests Remove unneeded header resolv.h inclusion Update comments Return inadvertently removed listings in test/code-count/file-type.yaml
Make libresolv optional Update help, tests, etc
Add const modifiers, fix type Update, cleanup, format comments
If any DNS key matches, return success Update tests
jreidthompson
force-pushed
the
dev-dns-validate-cig
branch
from
204a82f to
7cf63c6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Perform fingerprint verification via SSHFP records. This assumes that DNS resolution is configured to resolve to a DNS server that has been properly configured for DNSSEC and that the path between the ho st and the DNS server is secure. The OS must support RES_TRUSTAD (ad flag) in order to verify via SSHFP. If any DNS provided fingerprints match, the host will be trusted. If the DNS response ad flag is not set, or no DNS fingerprints are provided, or no DNS fingerprints match the host fingerprint, warnings are logged and will failover to attempt to verify via normal methods.