Matthew Roy
2012-Jan-04 00:56 UTC
ECDSA, SSHFP, and "Error calculating host key fingerprint."
When connecting to a host that provides an ECDSA host key and the client has "VerifyHostKeyDNS" set to 'yes' or 'ask' SSH outputs a mysterious and undocumented message "Error calculating host key fingerprint." This error actually seems to be generated by verify_host_key_dns(const char *hostname, struct sockaddr *address, Key *hostkey, int *flags) in dns.c, but neither that fact nor the reason for the error is mentioned in the manual. Is it possible to refine the error message so it is more clear what's going on or to punt and note it in the man pages? This may become a moot issue when the currently proposed update to RFC 4255[1] gets approved and ECDSA SSHFP records are supported, but for now it seems like something should provide the user a better explanation of what's going on and assurance that all is in fact well. Matthew Roy [1] https://datatracker.ietf.org/doc/draft-os-ietf-sshfp-ecdsa-sha2/
Apparently Analagous Threads
- [Bug 3698] New: SSHFP validation fails when multiple keys of the same type are found in DNS
- sshfp/ldns still having issues in 7.6
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
- ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
- Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.