bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-18 19:15 UTC
[Bug 1672] New: add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
Summary: add local DNSSEC validation
Product: Portable OpenSSH
Version: 5.3p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: robert.story at cobham.com
Created an attachment (id=1722)
--> (https://bugzilla.mindrot.org/attachment.cgi?id=1722)
add local DNSSEC validation
The attached patch adds local DNSSEC validation to ssh using the
DNSSEC-Tool libraries.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-18 19:16 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672 --- Comment #1 from robert.story at cobham.com 2009-11-19 06:16:26 EST --- Created an attachment (id=1723) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1723) README -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-18 20:55 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1722|ssh-dnssec.pat |ssh-dnssec.patch
filename| |
Attachment #1722|application/octet-stream |text/plain
mime type| |
Attachment #1722|0 |1
is patch| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Oct-20 15:11 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
jarrod.b.johnson+osb at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jarrod.b.johnson+osb at gmail.
| |com
--- Comment #2 from jarrod.b.johnson+osb at gmail.com 2010-10-21 02:11:27 EST
---
I would like to see this baked into OpenSSH as well. As it stands, the
DNSSEC support for SSHFP has two critical gaps as far as I can tell:
-No protection for DNS hijacking between client and closest DNS server
(e.g. most home users point at an ISP DNS server, so anyone with access
to the ISP network can trick DNSSEC validated SSHFP records even
without compromising the security of DNSSEC)
-The inability to cleanly deal with the case where local nameserver is
authoritative. The AD bit won't be set if AA is set. If I'm using a
local DNS server as a repository for SSHFP records, I cannot use this
infrastructure to help scripted execution of ssh as it stands since it
will receive authoritative, but not validated data. Commonly, a
resolver on localhost can close the gap for most cases, but the problem
of executing ssh from the DNS server itself is problematic.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-06 21:59 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
cuylaertspascal at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cuylaertspascal at gmail.com
--- Comment #3 from cuylaertspascal at gmail.com 2011-01-07 08:59:31 EST ---
I've been trying to path OpenSSH 5.3p1 with the patch that can be found
in dnssec-tools 1.8. During the final step, when I issue 'sudo make
install' for OpenSSH, I always get the error that the shared library '
libsres.so.9' can't be found.
I've run the configure script for OpenSSH with the following
parameters:
'./configure --with-local-dnssec-validation
--with-ldflags=-L/usr/local/lib/ --prefix=/usr/bin
--sysconfdir=/etc/ssh'
The library he tries to find can be found in '/usr/local/lib', so I
don't know what I'm doing wrong here.
Does anyone of you have a clue?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-19 10:18 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
Kenny Root <kenny at the-b.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kenny at the-b.org
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jun-27 14:25 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
robert.story at cobham.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |robert.story at cobham.com
Version|5.3p1 |5.8p2
--- Comment #4 from robert.story at cobham.com 2011-06-28 00:25:25 EST ---
(In reply to comment #3)> I've been trying to path OpenSSH 5.3p1 with the patch that can be found
> in dnssec-tools 1.8. During the final step, when I issue 'sudo make
> install' for OpenSSH, I always get the error that the shared library
'
> libsres.so.9' can't be found.
>
> I've run the configure script for OpenSSH with the following
> parameters:
> './configure --with-local-dnssec-validation
> --with-ldflags=-L/usr/local/lib/ --prefix=/usr/bin
> --sysconfdir=/etc/ssh'
>
> The library he tries to find can be found in '/usr/local/lib', so I
> don't know what I'm doing wrong here.
>
> Does anyone of you have a clue?
Maybe /usr/local/lib isn't in the search path for ld? Try adding it to
/etc/ld.so.conf.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jun-27 14:27 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
robert.story at cobham.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1722|0 |1
is obsolete| |
--- Comment #5 from robert.story at cobham.com 2011-06-28 00:27:05 EST ---
Created attachment 2060
--> https://bugzilla.mindrot.org/attachment.cgi?id=2060
updated patch against 5.8p2
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-May-09 20:43 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
rstory at tislabs.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2060|0 |1
is obsolete| |
--- Comment #6 from rstory at tislabs.com 2012-05-10 06:43:53 EST ---
Created attachment 2150
--> https://bugzilla.mindrot.org/attachment.cgi?id=2150
updated patch for 6.0p1
updated for 6.0p1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-May-09 20:44 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
rstory at tislabs.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|5.8p2 |6.0p1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-May-18 04:36 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
rstory at tislabs.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2150|0 |1
is obsolete| |
--- Comment #7 from rstory at tislabs.com 2012-05-18 14:36:23 EST ---
Created attachment 2152
--> https://bugzilla.mindrot.org/attachment.cgi?id=2152
update for 5.0p1
forgot to run autoreconf for first pass at 6.0p1 update.. new patch
updated after autoreconf and updating a few function calls that have
changed since the 5.8p1 version of the patch
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-May-18 04:37 UTC
[Bug 1672] add local DNSSEC validation
https://bugzilla.mindrot.org/show_bug.cgi?id=1672
rstory at tislabs.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2152|update for 5.0p1 |update for 6.0p1
description| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.