The following is valid for OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f 31 March 2020 as shipped with Ubuntu 20.04 LTS “Focal Fossa”. See the OpenSSH release notes for changes since the 7.6 release that came with Ubuntu 18.04.
sudo apt install ssh molly-guard
Client Configuration File¶
The system-wide default client settings are stored in
Change according to the example below:
# # Our own servers # Host server1.example.net Port 63508 Host server2.example.net Port 49208 User admin Host *.example.net ForwardAgent Yes StrictHostKeyChecking Yes RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra Host github.com User git # # Global options # Host * HashKnownHosts No VerifyHostKeyDNS Yes StrictHostKeyChecking Ask
/etc/resolv.conf contains edns0 and trust-ad in options,
glibc using applications (like OpenSSH) aren’t going to see that DNSSEC
validation is successful.
This affects our VerifyHostKeyDNS configuration option.
/etc/resolv.conf is often managed automatically, one can
set these options as spacce separated list in the RES_OPTIONS environment
variable instead, as described in the manpage for resolv.conf:
Add this to your
# Let OpenSSH trust DNSSEC-signed SSHFP records found in DNS. Workaround for # https://github.com/NLnetLabs/dnssec-trigger/issues/5 export RES_OPTIONS="edns0 trust-ad"