
Monkeysphere: Verify server SSH keys through the OpenPGP web of trust - planckscnst
http://web.monkeysphere.info/getting-started-ssh/
======
spindritf
You can also publish fingerprints of your host key in DNS[1]. And then

    
    
        ssh -o "VerifyHostKeyDNS ask" host.example.com
    

Alternatively, put

    
    
        VerifyHostKeyDNS ask 
    

in your ssh config. Obviously, this would work better with much maligned here
DNSSEC.

[1] [http://tools.ietf.org/html/rfc4255](http://tools.ietf.org/html/rfc4255)

~~~
daemon13
Practical question - let's say you spin new EC2 on AWS. This results in VM
generating new host sshd key for this instance as part of bootstrapping new
instance process.

How do you place host sshd key in DNS records without first connecting to this
instance and getting the key, action which requires you to check/verify host
sshd key (which is NOT in DNS yet)?

so it looks a bit like chicken and egg thing ...

What am I missing?

~~~
zorlem
The way I can think of is using IAM credentials to allow modification of a
Route53 record using the AWS CLI from the newly spun server. You will need to
write a short script that you could push to the new instance either through
EC2 MetaData or UserData fields.

If there is a demand I could try whipping up a CloudFormation template to do
it.

------
IgorPartola
Monkeysphere is very cool. The biggest issue for me has been that it can be
slow to verify keys. Also getting coworkers to use it is a pain since they
usually have their own habits.

