Luca Filipozzi
2012-May-09 04:20 UTC
feature request: modify getrrsetbyname() to use libunbound
Dear OpenSSH Developers, I'm a member of the Debian System Administration (DSA) team. [1] We manage the Debian Projects computing infrastructure. Recently, DSA had the opportunity to address a member's request that we begin using certificates to authenticate Debian Project machines to ssh clients. We provided a lengthy reply, the summary of which is "we publish SSHFP records; use VerifyHostKeyDNS; set up a local caching resolver to avoid MITM attacks". That said, it seems rather cumbersome to have users install a local caching resolver in order to secure the last mile of DNS queries (who trusts their ISP, after all), so we postulated whether it would be possible to modify openssh such that the ssh client could perform the queries itself. It turns out that this is quite straightforward to implement (see preliminary patch, attached), entirely because you have have well encapsulated the DNS query code. Since we are quite concerned that our project members (let alone our general user population) aren't managing their known_hosts in a secure or timely manner, we are keen on using SSHFP records .. but only if the DNSSEC last mile issue can be addressed in a relatively easy way for users. We propose that openssh be modified as follows: (1) introduce a new ssh_config directive: UnboundConfigurationFile (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is set, then the unbound resolver is used; if not, then libc (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf In this way, the standard mode of operation for ssh remains unchanged by default. Users who would like to use SSHFP records in a secure manner would set the configuration directive. Please find attached a preliminary patch that modifies getrrsetbyname() to use libunbound rather than libc. We have proposed [2] this modification to the Debian openssh package maintainers. Knowing that they (and we, too, frankly) would prefer the modification to be adopted by upstream, I've subscribed to the openssh-unix-dev list to begin the discussion (I've carbon copied my DSA colleagues and the openssh package maintainers so that they are aware). If there is interest in this proposal, I would be pleased to work with you to complete the patch. (In the meantime, I'm using openssh patched with libunbound on my macbook since OS/X's libc doesn't support DNSSEC.) Thanks for your consideration, Luca Filipozzi [1] http://www.debian.org/intro/organization [2] http://lists.debian.org/debian-ssh/2012/05/msg00004.html -- Luca Filipozzi Member, Debian System Administration Team -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh.diff Type: text/x-diff Size: 2654 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/689f068e/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: Digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/689f068e/attachment-0001.bin>
Peter Stuge
2012-May-09 06:08 UTC
feature request: modify getrrsetbyname() to use libunbound
Luca Filipozzi wrote:> We propose that openssh be modified as follows: > > (1) introduce a new ssh_config directive: UnboundConfigurationFileI don't think any SSH configuration directives should be tied to a specific implementation of anything outside the SSH domain.> (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_confWhat needs to be set in that config? I think adding DNSSEC-related directives to ssh_config and perhaps also sshd_config would be more in line with the rest of the configuration directives. Hopefully configuration can be given also programatically to libunbound, so that OpenSSH could use the same configuration directives regardless of which resolver library is used. //Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/9d614818/attachment.bin>
Darren Tucker
2012-May-09 06:41 UTC
feature request: modify getrrsetbyname() to use libunbound
On Wed, May 09, 2012 at 04:20:33AM +0000, Luca Filipozzi wrote: [...]> We propose that openssh be modified as follows: > > (1) introduce a new ssh_config directive: UnboundConfigurationFile > > (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is > set, then the unbound resolver is used; if not, then libc > > (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_confOK, here's my opinion: - I am OK with adding support for libunbound (we already have compile-time support for an alternate resolver, ldns), however - I am oposed to a new configuration file option because Portable-specific options increase the maintenance burden in both directions. But first: why doesn't the system resolver support dnssec? Wouldn't the effort be better spent fixing that instead? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Ondřej Caletka
2012-May-09 07:50 UTC
feature request: modify getrrsetbyname() to use libunbound
Dne 9.5.2012 06:20, Luca Filipozzi napsal(a):> That said, it seems rather cumbersome to have users install a local > caching resolver in order to secure the last mile of DNS queries (who > trusts their ISP, after all), so we postulated whether it would be > possible to modify openssh such that the ssh client could perform the > queries itself.Wouldn't it be done by just adding trust anchor to current ldns resolving code? It looks like there is already some kind of autonomous validation attempt in getrrsetbyname-ldns.c: /* Check for authenticated data */ if (ldns_pkt_ad(pkt)) { rrset->rri_flags |= RRSET_VALIDATED; } else { /* AD is not set, try autonomous validation */ ldns_rr_list * trusted_keys = ldns_rr_list_new(); Regards, Ond?ej Caletka
Luca Filipozzi
2012-May-10 19:35 UTC
feature request: modify getrrsetbyname() to use libunbound
On Wed, May 09, 2012 at 05:41:37PM -0400, Robert Story wrote:> On Wed, 9 May 2012 18:56:08 +0000 Luca wrote: > LF> > Yes, which is why we prefer our DNSSEC-Tools libval patch, which > LF> > always does local validation and does not depend on the AD flag. > LF> > > LF> > https://bugzilla.mindrot.org/show_bug.cgi?id=1672 > > I just updated the patch for 6.0p1, in case anyone is interested in trying > it.Thanks very much.> LF> (2) make use of Robert's DNSSEC-Tools-based implementation; could the > LF> DNSSEC-Tools-specific implementation be moved from verify_host_key_dns() > LF> to getrrsetbyname()? > > We wanted to have the lowest impact possible, and only do DNSSEC for > verifying sshfp records. If upstream is willing to accept optional > validation of all records, we could do that too.I'm in favour of encapsulating the libary-of-choice related code changes into getrrsetbyname(), leaving only the OpenSSH configuration related code changes in common openssh/openssh-portable code. But before we invest more time in this effort, it would be helpful to hear upstream's opinion regarding our request for anchored DNSSEC validation to be built into openssh. We don't want to trust on an upstream resolver's AD bit and we don't want to require that users install a local resolver. Do they concur? -- Luca Filipozzi
Possibly Parallel Threads
- Redefinition of _res in getrrsetbyname.c
- [Bug 1320] New: Add support for ldns
- [Bug 2119] New: SSHFP with DNSSEC – no trust anchors given, validation always fails
- [PATCH] Add support for ldns
- openbsd-compat/getrrsetbyname.c: answer buffer size too large for EDNS0 and glibc