openssh bugs - Jun 2021 - [Bug 3322] New: Switch SSHFP default digest to SHA256

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

            Bug ID: 3322
           Summary: Switch SSHFP default digest to SHA256
           Product: Portable OpenSSH
           Version: 8.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dbelyavs at redhat.com

OpenSSH uses SHA1 as a default digest for SSHFP records for RSA/DSA
algorithms.

RFC 6594 permits using much more secure SHA256 algorithm with SSHFP
records. SHA256 is already default digest for Ed25519 and ECDSA SSHFP
records.

The straightforward PR:

https://github.com/openssh/openssh-portable/pull/259

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
             Blocks|                            |3302

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I commented on the pull request too, but I don't think your change
actually does anything.   While iterating the rrset, the existing code
uses the digest type from the DNS record:

        if (hostkey_digest_type != dnskey_digest_type) {
                hostkey_digest_type = dnskey_digest_type;
                free(hostkey_digest);

                /* Initialize host key parameters */
                if (!dns_read_key(&hostkey_algorithm,
                    &hostkey_digest_type, &hostkey_digest,
                    &hostkey_digest_len, hostkey)) {

If we add a couple of debug calls to the current code you can see it
verifies both fingerprint types (this machine has SHA1 and SHA256 RSA
fingerprints):

$ ./ssh -vvv -o verifyhostkeydns=ask -o hostkeyalgorithms=rsa-sha2-256
fw 2>&1 | grep -i dns
debug3: verify_host_key_dns
debug1: found 4 insecure fingerprints in DNS
debug3: verify_host_key_dns: checking SSHFP type 4 fptype 1
debug3: verify_host_key_dns: checking SSHFP type 1 fptype 1
debug1: verify_host_key_dns: matched SSHFP type 1 fptype 1
debug3: verify_host_key_dns: checking SSHFP type 3 fptype 2
debug3: verify_host_key_dns: checking SSHFP type 1 fptype 2
debug1: verify_host_key_dns: matched SSHFP type 1 fptype 2

It'll return success if either validate, though, which is probably not
ideal.  It should probably ensure that all fingerprints match.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3302
[Bug 3302] Tracking bug for openssh-8.7
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #3539|                            |ok?(djm at mindrot.org)
              Flags|                            |

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3539
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3539&action=edit
Simplify verify_host_key_dns() and verify all fingerprints

I think this is what it should do: verify all fingerprint types present
in DNS.  If any fail to verify the overall check fails.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

--- Comment #3 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
Yes, it's a proper solution for the verification. I'm more disturbed
about creating the new records - I got a (possible wrong) impression
that the default value is used on creation.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

--- Comment #4 from Darren Tucker <dtucker at dtucker.net>
---
> I got a (possible wrong) impression that the default value is used on
creation.
Creation of the SSHFP records?  It iterates over the available digest
types in export_dns_rr():

  for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
      rdata_digest_type = dtype;
      if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
           &rdata_digest, &rdata_digest_len, key)) {

$ ./ssh-keygen -r fw
fw IN SSHFP 1 1 [...]
fw IN SSHFP 1 2 [...]
fw IN SSHFP 2 1 [...]
fw IN SSHFP 2 2 [...]
fw IN SSHFP 3 1 [...]
fw IN SSHFP 3 2 [...]
fw IN SSHFP 4 1 [...]
fw IN SSHFP 4 2 [...]

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3539|ok?(djm at mindrot.org)        |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Switch SSHFP default digest |Verify both SHA1 and SHA256
                   |to SHA256                   |SSHFP records when both are
                   |                            |present

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
The patch has been committed and

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Darren Tucker <dtucker at dtucker.net> ---
... will be in the next major release.  Thanks for the report.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3322

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.