[Samba] ssh with certificates - was: AW: Samba Bind DLZ and Zone signing

[Owen DeLong]

OpenSSH would prefer you to use certificates, they do not appear to
have the code to use SSHFP with DNSSEC.



This appears to be incorrect:
Configuring the SSH client to look for host keys in DNS

Easy peasy: either you can add the line VerifyHostKeyDNS yes to your ~/.ssh/config file, or you can supply it on the command line using ssh -o VerifyHostKeyDNS=yes.

delong-dhcp183:owen (146) ~ % ssh -o VerifyHostKeyDNS=yes owen.delong.com date                                        2023/12/11 8:06:47

Mon Dec 11 16:06:52 UTC 2023

0.022u 0.009s 0:02.83 0.7% 0+0k 0+0io 1pf+0w

delong-dhcp183:owen (148) ~ % ssh -V                                                                                  2023/12/11 8:06:54

OpenSSH_9.3p2, LibreSSL 3.3.6


Samba


I suspect this is why the user is posting.

OpenSSH


Already done.

Bind


Already done.

Microsoft


Appears to be somewhat in progress, but yeah, I don’t think anyone is surprised that they are lagging on standards support.

Owen