openssh unix dev - May 2012 - feature request: modify getrrsetbyname() to use libunbound

Dear OpenSSH Developers,

I'm a member of the Debian System Administration (DSA) team. [1]  We
manage the Debian Projects computing infrastructure.

Recently, DSA had the opportunity to address a member's request that we
begin using certificates to authenticate Debian Project machines to ssh
clients.  We provided a lengthy reply, the summary of which is "we
publish SSHFP records; use VerifyHostKeyDNS; set up a local caching
resolver to avoid MITM attacks".

That said, it seems rather cumbersome to have users install a local
caching resolver in order to secure the last mile of DNS queries (who
trusts their ISP, after all), so we postulated whether it would be
possible to modify openssh such that the ssh client could perform the
queries itself.

It turns out that this is quite straightforward to implement (see
preliminary patch, attached), entirely because you have have well
encapsulated the DNS query code.

Since we are quite concerned that our project members (let alone our
general user population) aren't managing their known_hosts in a secure
or timely manner, we are keen on using SSHFP records .. but only if the
DNSSEC last mile issue can be addressed in a relatively easy way for
users.

We propose that openssh be modified as follows:

(1) introduce a new ssh_config directive: UnboundConfigurationFile

(2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
set, then the unbound resolver is used; if not, then libc

(3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf

In this way, the standard mode of operation for ssh remains unchanged by
default.  Users who would like to use SSHFP records in a secure manner
would set the configuration directive.

Please find attached a preliminary patch that modifies getrrsetbyname()
to use libunbound rather than libc.

We have proposed [2] this modification to the Debian openssh package
maintainers.  Knowing that they (and we, too, frankly) would prefer the
modification to be adopted by upstream, I've subscribed to the
openssh-unix-dev list to begin the discussion (I've carbon copied my DSA
colleagues and the openssh package maintainers so that they are aware).

If there is interest in this proposal, I would be pleased to work with
you to complete the patch.  (In the meantime, I'm using openssh patched
with libunbound on my macbook since OS/X's libc doesn't support DNSSEC.)

Thanks for your consideration,

Luca Filipozzi

[1] http://www.debian.org/intro/organization
[2] http://lists.debian.org/debian-ssh/2012/05/msg00004.html

-- 
Luca Filipozzi
Member, Debian System Administration Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh.diff
Type: text/x-diff
Size: 2654 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/689f068e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/689f068e/attachment-0001.bin>

Luca Filipozzi wrote:
> We propose that openssh be modified as follows:
> 
> (1) introduce a new ssh_config directive: UnboundConfigurationFile
I don't think any SSH configuration directives should be tied to a
specific implementation of anything outside the SSH domain.

> (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf
What needs to be set in that config? I think adding DNSSEC-related
directives to ssh_config and perhaps also sshd_config would be more
in line with the rest of the configuration directives.

Hopefully configuration can be given also programatically to
libunbound, so that OpenSSH could use the same configuration
directives regardless of which resolver library is used.


//Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/9d614818/attachment.bin>

On Wed, May 09, 2012 at 04:20:33AM +0000, Luca Filipozzi wrote:
[...]
> We propose that openssh be modified as follows:
>
> (1) introduce a new ssh_config directive: UnboundConfigurationFile
> 
> (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
> set, then the unbound resolver is used; if not, then libc
> 
> (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf
OK, here's my opinion:
 - I am OK with adding support for libunbound (we already have
   compile-time support for an alternate resolver, ldns), however
 - I am oposed to a new configuration file option because
   Portable-specific options increase the maintenance burden in both
   directions.

But first: why doesn't the system resolver support dnssec?  Wouldn't the
effort be better spent fixing that instead?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Dne 9.5.2012 06:20, Luca Filipozzi napsal(a):
> That said, it seems rather cumbersome to have users install a local
> caching resolver in order to secure the last mile of DNS queries (who
> trusts their ISP, after all), so we postulated whether it would be
> possible to modify openssh such that the ssh client could perform the
> queries itself.
Wouldn't it be done by just adding trust anchor to current ldns
resolving code? It looks like there is already some kind of autonomous
validation attempt in getrrsetbyname-ldns.c:

       /* Check for authenticated data */
        if (ldns_pkt_ad(pkt)) {
                rrset->rri_flags |= RRSET_VALIDATED;
        } else { /* AD is not set, try autonomous validation */
                ldns_rr_list * trusted_keys = ldns_rr_list_new();


Regards,
Ond?ej Caletka

On Wed, May 09, 2012 at 05:41:37PM -0400, Robert Story
wrote:
> On Wed, 9 May 2012 18:56:08 +0000 Luca wrote:
> LF> > Yes, which is why we prefer our DNSSEC-Tools libval patch,
which
> LF> > always does local validation and does not depend on the AD
flag.
> LF> > 
> LF> > 	https://bugzilla.mindrot.org/show_bug.cgi?id=1672
> 
> I just updated the patch for 6.0p1, in case anyone is interested in trying
> it.
Thanks very much.
> LF> (2) make use of Robert's DNSSEC-Tools-based implementation;
could the
> LF> DNSSEC-Tools-specific implementation be moved from
verify_host_key_dns()
> LF> to getrrsetbyname()?
> 
> We wanted to have the lowest impact possible, and only do DNSSEC for
> verifying sshfp records. If upstream is willing to accept optional
> validation of all records, we could do that too.
I'm in favour of encapsulating the libary-of-choice related code changes
into getrrsetbyname(), leaving only the OpenSSH configuration related
code changes in common openssh/openssh-portable code.

But before we invest more time in this effort, it would be helpful to
hear upstream's opinion regarding our request for anchored DNSSEC
validation to be built into openssh.

We don't want to trust on an upstream resolver's AD bit and we don't
want to require that users install a local resolver.  Do they concur?

-- 
Luca Filipozzi