Robert Story
2011-Jul-20 16:47 UTC
auto-accept keys matching DNSSEC-validated SSHFP records
Hi, I submitted a patch back in November of 2009 to add local validation of DNSSEC record to openssh. I recent updated the patch for 5.8, and figured I do a little marketing while I'm at it. :-) Someone had previously submitted a patch which simply trusted the AD bit in the response, which is susceptible to spoofing by anyone who can inject packets between the resolver and the client. Our patch always fetches the signatures and verifies them locally. A new option, oStrictDnssecChecking, determines whether or not an untrusted response is treated as a failure, or if the result is returned with a warning. In addition to adding local validation, a new setting, oAutoAnswerValidatedKeys, allows the user to automatically accept new keys which match DNSSEC-validated SSHFP records. The default for this new option is off, so even if the record matches, the user will still be asked to confirm before connecting. The patch is here: https://bugzilla.mindrot.org/show_bug.cgi?id=1672 I dug up some test cases and output from my archives. These show the results seen when oAutoAnswerValidatedKeys is enabled. 1) ssh to a new host, DNSSEC-validated sshfp key: $ ./ssh bishop The authenticity of host 'bishop.vb (192.168.1.10)' was validated via DNSSEC. Warning: Permanently added 'bishop.vb,192.168.1.10' (RSA) to the list of known hosts. 2) subsequent ssh to existing host with key changes, but no DNS update $ ./ssh bishop @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d. Please contact your system administrator. Update the SSHFP RR in DNS with the new host key to get rid of this message. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d. Please contact your system administrator. Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this message. Offending key in /home/rstory/.ssh/known_hosts:69 RSA host key for bishop.vb has changed and you have requested strict checking. Host key verification failed. 3) ssh to same host after SSHFP record updated and re-signed $ ./ssh bishop @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Howerver, a matching host key, validated by DNSSEC, was found. The fingerprint for the RSA key sent by the remote host is 1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d. Please contact your system administrator. Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this message. Offending key in /home/rstory/.ssh/known_hosts:69 The authenticity of host 'bishop.vb (192.168.1.10)' was validated via DNSSEC. Warning: Permanently added 'bishop.vb' (RSA) to the list of known hosts. 4) subsequent logins (no remote changes) $ ./ssh bishop Warning: the RSA host key for 'bishop.vb' differs from the key for the IP address '192.168.1.10' Offending key for IP in /home/rstory/.ssh/known_hosts:69 Matching host key in /home/rstory/.ssh/known_hosts:70 5) IP addr change $ ./ssh bishop Warning: Permanently added the RSA host key for IP address '192.168.1.9' to the list of known hosts. 6) IP addr change and key change, with DNSSEC signed SSHFP record $ ./ssh bishop @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: HOST IP ADDRESS HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The RSA host key for bishop.vb has changed, and the key for the according IP address 192.168.1.10 is unknown. The IP address for the host and its host key have changed at the same time. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Howerver, a matching host key, validated by DNSSEC, was found. The fingerprint for the RSA key sent by the remote host is c3:2d:e8:9e:65:b2:17:22:36:aa:73:47:d7:cd:5e:ae. Please contact your system administrator. Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this message. Offending key in /home/rstory/.ssh/known_hosts:69 The authenticity of host 'bishop.vb (192.168.1.10)' was validated via DNSSEC. Warning: Permanently added 'bishop.vb,192.168.1.10' (RSA) to the list of known hosts. Robert -- Senior Software Engineer SPARTA (dba Cobham Analytic Soloutions) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110720/ee4a6046/attachment.bin>
--On 20 July 2011 12:47:03 -0400 Robert Story <rstory at sparta.com> wrote:> 3) ssh to same host after SSHFP record updated and re-signed > > $ ./ssh bishop > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Howerver, a matching host key, validated by DNSSEC, was found. > The fingerprint for the RSA key sent by the remote host is > 1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d. > Please contact your system administrator. > Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this > message. Offending key in /home/rstory/.ssh/known_hosts:69 > The authenticity of host 'bishop.vb (192.168.1.10)' was validated via > DNSSEC. Warning: Permanently added 'bishop.vb' (RSA) to the list of known > hosts.I think the functionality I'd want here (I appreciate other people might differ) is no warning here. But the text of this warning is really confusing. Firstly it says "Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this message.", then tells you (I think) that it has done just that. It should either be telling you that you need to do it (and not completing the connection), or not warning and completing the connection, I think. -- Alex Bligh
Reasonably Related Threads
- [Bug 1672] New: add local DNSSEC validation
- Small issue with DNSSEC / SSHFP
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
- [Bug 2022] New: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.