[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strength and Weakness of Methods to Confirm SSH Host Key

(advice from maxigas)
"verify your SSH key through the OpenPGP web of trust"
Strength: OpenPGP is cool if you REALLY know how to use it.
Weakness: "vote counting scheme" does not sound too cool.

"use of an organization's own HTTPS site"
(advice from Stephanie Daugherty)
In my personal opinion, this is the best solution.
Weakness: basically nothing - it's very secure.

"use DNSSEC to validate SSH fingerprints"
(advice from Micha Borrmann / Jeroen van der Ham / john)
This is a good solution.
Weakness: HTTPS is more mature than DNSSEC(in my personal opinion).

"ssh-keyscan -p 22 domain.com ..."
(advice from Busindre)
It's the same as running "ssh" directly.

Check SSH(https://checkssh.com/)
(we made it)
Strength: this definitely stops ALL local bad boys.
While it's open source(and source code is less than 100 lines)...
We simply won't give you root password of the server(you don't own the server).
If adversary is EXTREMELY powerful:
It's better to set up your own Check SSH.

Best Wishes,