[Info-vax] ssh, variant ssh ports, and DNS
Grant Taylor
gtaylor at tnetconsulting.net
Fri Jul 5 17:34:04 EDT 2019
On 7/5/19 3:02 PM, Stephen Hoffman wrote:
> Not required, and not part of any mainstream ssh client, but DNS SRV
> records are sometimes handy...
I've often wondered about using SRV records for SSH.
I usually decide not to do it because it puts the necessary information
out there to make it trivial for attackers to find SSH daemons and bang
on them just like any hostname would.
Though I guess many attackers are doing so by IP and not host name.
> https://gist.github.com/taylor/1372925
Oh wow. That looks like it's trying to be a wrapper for the ssh
command. That's at all how I would go about that. For one thing, it
only works with the ssh command and not other things that use other
OpenSSH commands.
I'd be much more inclined to do something that would interface as a
ProxyCommand. That way other OpenSSH commands would benefit from it.
It also removes most, if not all, of the cruft dealing with hostnames
and usernames.
This also doesn't appear to support multiple IPs and / or ports, which
SRV records support. I guess you could say that you should only SSH to
one IP + port pair. Though I could hypothetically see a use for fall
back to another port and possibly system via judicious use of the
StrictHostKeyChecking.
--
Grant. . . .
unix || die
More information about the Info-vax
mailing list