Revision - ca71ba4 - MFC 195820, 195940, 196643, 197663, 199067, 199215, and 199253:

Revision ca71ba4d0cfcf5f7a8e9b24339547b5a72299f80 authored by John Baldwin on 26 January 2010, 20:58:09 UTC, committed by John Baldwin on 26 January 2010, 20:58:09 UTC

MFC 195820, 195940, 196643, 197663, 199067, 199215, and 199253:

Optimize the cache flushing done when changing caching attributes of pages
by doing nothing for CPUs that support self-snooping and using CLFLUSH
instead of a full cache invalidate when possible.
- On i386 take care of possible mappings of the page by sf buffer by
  utilizing the mapping for clflush, otherwise map the page transiently.
  Amd64 uses the direct map.
- Do not use CLFLUSH on Intel CPUs due to problems with flushing the local
  APIC range by default.  This can be further controlled via the
  hw.clflush_disable loader tunable.  A setting of 1 disables the
  use of CLFLUSH.  A setting of 0 allows CLFLUSH to be used for Intel
  CPUs when CPUID_SS is not present.

Approved by:	re (kib)

1 parent a6a19cb

Files
Changes

Permalinks

README.dns

How to verify host keys using OpenSSH and DNS
---------------------------------------------

OpenSSH contains support for verifying host keys using DNS as described in
draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
on how to use this feature. Configuring DNS is out of the scope of this
document.


(1) Server: Generate and publish the DNS RR

To create a DNS resource record (RR) containing a fingerprint of the
public host key, use the following command:

	ssh-keygen -r hostname -f keyfile -g

where "hostname" is your fully qualified hostname and "keyfile" is the
file containing the public host key file. If you have multiple keys,
you should generate one RR for each key.

In the example above, ssh-keygen will print the fingerprint in a
generic DNS RR format parsable by most modern name server
implementations. If your nameserver has support for the SSHFP RR
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.

To publish the fingerprint using the DNS you must add the generated RR
to your DNS zone file and sign your zone.


(2) Client: Enable ssh to verify host keys using DNS

To enable the ssh client to verify host keys using DNS, you have to
add the following option to the ssh configuration file
($HOME/.ssh/config or /etc/ssh/ssh_config):

    VerifyHostKeyDNS yes

Upon connection the client will try to look up the fingerprint RR
using DNS. If the fingerprint received from the DNS server matches
the remote host key, the user will be notified.


	Jakob Schlyter
	Wesley Griffin


$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...