Feature request: detect SSHFP DNS records and compare with server fingerprint

arthepsy / ssh-audit

SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

MIT License

2.96k stars 268 forks source link

Feature request: detect SSHFP DNS records and compare with server fingerprint #34

Open pkubaj opened 7 years ago

pkubaj commented 7 years ago

SSHFP DNS records are a useful feature which enables one to save SSH fingerprints in DNS, so that you don't have to check them manually. It would be useful if ssh-audit could check for existence of such records, compare them with actual fingerprints if they match and put recommendations to disable DSA and ECDSA records (if they exist) and enable RSA and ED25519 (if they don't exist).

It should also recommend to disable SHA1 type records, if enabled and enable SHA256, if disabled.

egberts commented 2 years ago

May also want to verify DNSSEC before consulting SSHFP

SuperSandro2000 commented 2 years ago

That wouldn't work on every network with every DNS server because some are for some reason dropping DNSSEC records.

egberts commented 2 years ago

Then one should never trust SSHFP record data if not secured behind DNSSEC.

https://serverfault.com/questions/1063853/sshfp-not-working/1099936#1099936