Inclusion of ssh host key fingerprints in gitlab.com DNS zone description
This issue targets gitlab.com rather than about.gitlab.com (which this project seems to be about). As this issue tracker covers company-related issues as well, I still feel fine posting it here.
Hello all,
when cloning gitlab.com-hosted repositories through ssh for the first time, clients usually prompt the user to accept the host key fingerprint manually. One can compare them with the published ones manually, but it would be more comfortable if you could make them available through SSHFP resource records in the gitlab.com DNS zone description. This way the check could be conducted by the git client automatically, resulting in increased safety and an overall nicer user experience.
- https://en.wikipedia.org/wiki/SSHFP_record
- rfc4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
- rfc6594: Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records
- rfc7479: Using Ed25519 in SSHFP Resource Records
One can instruct the official git client to make use of this RR by setting the VerifyHostKeyDNS
ssh option through the GIT_SSH_COMMAND
environment variable
- either permanently
- or for an indidual
git
invocation only:GIT_SSH_COMMAND='ssh -o VerifyHostKeyDNS=yes' git clone git@domain.tld\repo
.
Thanks for making GitLab. I enjoy using your product a lot.
Best regards, Manuel