bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-19 08:11 UTC
[Bug 2501] New: VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Bug ID: 2501
Summary: VerifyHostKeyDNS & StrictHostKeyChecking
Product: Portable OpenSSH
Version: 7.1p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: thorduri at secnorth.net
Created attachment 2753
--> https://bugzilla.mindrot.org/attachment.cgi?id=2753&action=edit
Two patches for the above.
When SSHFP RR is missing (while there are records available) ssh does
not
distinguish between these two, leading to confusing error messages,
that
is the "normal" warn_changed_key() blurb is emitted.
Further, when VerifyHostDNS is set and StrictHostKeyChecking is set and
the host presented key matches the known host key but the RR is missing
the same warning is emitted however the user is not prompted for
confirmation
that the connection should continue (this might be by design) but I'd
argue
it violates POLA.
Attached are two na?ve patches to portable (cloned from
anongit at mindrot.org) that attempt to tackle the above.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Dec-03 08:07 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Thordur Bjornsson <thorduri at secnorth.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |thorduri at secnorth.net
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Dec-11 03:42 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Attachment #2753|application/octet-stream |text/plain
mime type| |
Attachment #2753|0 |1
is patch| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Dec-11 03:48 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2451
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jan-28 16:17 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501 --- Comment #1 from Thordur Bjornsson <thorduri at secnorth.net> --- Worth keeping this open ? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:44 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501 --- Comment #2 from Damien Miller <djm at mindrot.org> --- Retarget to openssh-7.3 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:45 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2543
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2543
[Bug 2543] Tracking bug for OpenSSH 7.3 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:47 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2451 |
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Retarget to openssh-7.3
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:10 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501 --- Comment #4 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:14 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2594
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
retarget unfinished bugs to next release
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:15 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501 --- Comment #6 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:17 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501 --- Comment #7 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:19 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2543 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2543
[Bug 2543] Tracking bug for OpenSSH 7.3 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:31 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2647
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:33 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2594 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:43 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2698
--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while
back.
To calibrate expectations, there's little chance all of these are going
to make 7.6.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:44 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501 --- Comment #10 from Damien Miller <djm at mindrot.org> --- remove 7.5 target -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:45 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2647 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-01 03:52 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2753|0 |1
is obsolete| |
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
CC| |dtucker at zip.com.au
Attachment #3046| |ok?(dtucker at zip.com.au)
Flags| |
--- Comment #11 from Damien Miller <djm at mindrot.org> ---
Created attachment 3046
--> https://bugzilla.mindrot.org/attachment.cgi?id=3046&action=edit
updated to current
This looks reasonable to me. Darren?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-01 04:32 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3046|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-01 05:53 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #12 from Damien Miller <djm at mindrot.org> ---
Patch applied. This will be in OpenSSH 7.6
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-14 05:29 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #13 from Darren Tucker <dtucker at zip.com.au> ---
commit aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba
Author: djm at openbsd.org <djm at openbsd.org>
Date: Thu Sep 14 04:32:21 2017 +0000
upstream commit
Revert commitid: gJtIN6rRTS3CHy9b.
-------------
identify the case where SSHFP records are missing but other DNS RR
types are present and display a more useful error message for this
case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
-------------
This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP
results
are missing but the user already has the key in known_hosts
Spotted by dtucker@
Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:29 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2782
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:29 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2698 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:09 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2852
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:12 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2782 |
--- Comment #14 from Damien Miller <djm at mindrot.org> ---
Move to OpenSSH 7.8 tracking bug
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-13 03:56 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2852 |
--- Comment #15 from Damien Miller <djm at mindrot.org> ---
So basically this needs to be rewritten to make the behaviour changes /
warnings happen only after the key has been checked for in known_hosts.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Sep-14 11:49 UTC
[Bug 2501] VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Celeste Liu <CoelacanthusHex at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |CoelacanthusHex at gmail.com
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Reasonably Related Threads
- Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking
- [Bug 2400] New: StrictHostKeyChecking=no behaviour on HOST_CHANGED is excessively insecure
- [Bug 2439] New: New sha256-base64 SSH Fingerprints in openssh-6.8
- [Bug 2440] New: X11 connection will fail if user's home directory is read-only
- [Bug 2158] New: Race condition in receiving SIGTERM