I have been running openSSH 7.4p1 for a while now. When I upgraded to 7.5 a year or so ago I ran into the problem listed in this bug report: Bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218472 The release notes for 7.6 release notes indicate that the fix patch was included: https://www.openssh.com/txt/release-7.6 I tried 7.6 and I still cannot connect without a prompt wondering if I am really sure. ----------------- 7.4p1 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> debug3: verify_host_key_dns debug2: ldns: got 1 answers from DNS debug1: found 1 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug1: Next authentication method: publickey debug1: Offering RSA public key: ~/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 535 debug1: Authentication succeeded (publickey). ----------------- 7.6p1 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> debug3: verify_host_key_dns debug1: found 1 insecure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug3: hostkeys_foreach: reading file "~/.ssh/known_hosts" debug3: hostkeys_foreach: reading file "~/.ssh/known_hosts" The authenticity of host 'host.domain.com (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256:<snip>. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? ^C ----------------- The system I am testing on is running macOS 10.13.2 (High Sierra). Others in my office are getting the same problem and running a similar setup (though some are running macOS 10.12) Is this a bug still or is there possibly something else at play here? Is anyone else having the same problem? (Is anyone else using SSHFP/DNSSEC?) Thanks, Jonathan
>Is anyone else having the same problem? (Is anyone else using SSHFP/DNSSEC?)I replaced the ldns code with getdns. Works fine for more than a year now. I don't think anybody cares. I tried to tell people. But that had no effect.
> I replaced the ldns code with getdns. Works fine for more than a year now. >I am interested in how you did that. Would you mind sharing your procedure?> I don't think anybody cares. I tried to tell people. But that had no > effect. >There certainly is not as much talk about it as I would expect there to be.
On 11 January 2018 at 07:12, Jonathan Duncan <jonathan at nacnud.com> wrote:> I have been running openSSH 7.4p1 for a while now. When I upgraded to 7.5 a > year or so ago I ran into the problem listed in this bug report:Upgraded how? Built yourself? Configured with which options and which version of LDNS?> 7.4p1 > > debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> > debug3: verify_host_key_dns > debug2: ldns: got 1 answers from DNS > debug1: found 1 secure fingerprints in DNSNote the "ldns:" line. This one is built with LDNS.> 7.6p1 > > debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> > debug3: verify_host_key_dns > debug1: found 1 insecure fingerprints in DNSNote the lack of the ldns: line. I suspect this one is not built with LDNS. You can confirm this with ldd, you should see something like: $ ldd ssh | grep ldns libldns.so.2 => /usr/lib/libldns.so.2 (0xb7bfe000)> The system I am testing on is running macOS 10.13.2 (High Sierra). Others > in my office are getting the same problem and running a similar setup > (though some are running macOS 10.12) > > Is this a bug still or is there possibly something else at play here?I suspect it's something else. I'd check config.h and your build logs to make sure LDNS was actually enabled as you expect.> Is anyone else having the same problem? (Is anyone else using SSHFP/DNSSEC?)I just set up DNSSEC for my domain and built 7.6p1 with LDNS 1.7.0 and (other than ldns-config wanting to link -lpython2.7 for some reason) it worked. $ ./ssh -vvv -o verifyhostkeydns=yes server | grep -i dns debug3: verify_host_key_dns debug2: ldns: got 6 answers from DNS debug1: found 6 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Thu, Jan 11, 2018 at 3:39 AM, Darren Tucker <dtucker at dtucker.net> wrote:> On 11 January 2018 at 07:12, Jonathan Duncan <jonathan at nacnud.com> wrote: > > I have been running openSSH 7.4p1 for a while now. When I upgraded to > 7.5 a > > year or so ago I ran into the problem listed in this bug report: > > Upgraded how? Built yourself? Configured with which options and > which version of LDNS? > > I am on a Mac using Homebrew for package management.> > 7.4p1 > > debug2: ldns: got 1 answers from DNS > > Note the "ldns:" line. This one is built with LDNS. > > Noted> > 7.6p1 > > > > debug3: verify_host_key_dns > > Note the lack of the ldns: line. I suspect this one is not built with > LDNS. You can confirm this with ldd, you should see something like: > > Good catch. You are correct. Apparently the current versions have removedthe ldns option due to a version conflict with openssl at 1.1 ldd does not apply here since I am using Homebrew. Though building my own from source is certainly an option. I suspect it's something else. I'd check config.h and your build logs> to make sure LDNS was actually enabled as you expect. > > Yes, it is something else. Thank you for the assistance. I will take itfrom here.> > Is anyone else having the same problem? (Is anyone else using > SSHFP/DNSSEC?) > > I just set up DNSSEC for my domain and built 7.6p1 with LDNS 1.7.0 and > it worked. >I am glad to hear it! At my office we quite enjoy the benefits of DNSSEC. Cheers!
Reasonably Related Threads
- sshfp/ldns still having issues in 7.6
- [Bug 2119] New: SSHFP with DNSSEC – no trust anchors given, validation always fails
- [PATCH] Use canonical hostname for DNS SSHFP lookup
- "Out of memory" error looking up SSHFP records
- [Bug 2702] New: ssh compiled with --with-ldns segfaults during known_hosts parsing