openssh unix dev - Nov 2015 - Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking

Y'all,

Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP
RR is missing
from the result set (rather then being empty), which can lead to
confusing error messages,
(the "normal" warn_changed_key() blurb is emitted) e.g. when the
presented host key and
known hosts both match but there is no matching RR.

Further, if VerifyHostKeyDNS and StrictHostKeyChecking are set, there
is no prompting for
confirmation if the connection should be allowed to proceed; I'm
unsure if this is by design
or not (as presented host key and known host key match), but I'd argue
this violates POLA.

Attached are two na?ve patches to portable (cloned from
anongit at mindrot.org) that attempt
to tackle the above.

-- 
/ciao, thorduri.

On Wed, 18 Nov 2015, Thordur I. Bjornsson wrote:
> Y'all,
> 
> Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP
> RR is missing
> from the result set (rather then being empty), which can lead to
> confusing error messages,
> (the "normal" warn_changed_key() blurb is emitted) e.g. when the
> presented host key and
> known hosts both match but there is no matching RR.
> 
> Further, if VerifyHostKeyDNS and StrictHostKeyChecking are set, there
> is no prompting for
> confirmation if the connection should be allowed to proceed; I'm
> unsure if this is by design
> or not (as presented host key and known host key match), but I'd argue
> this violates POLA.
> 
> Attached are two na?ve patches to portable (cloned from
> anongit at mindrot.org) that attempt
> to tackle the above.
Looks like the list server ate the attachements - could you attach them
to a bug on https://bugzilla.mindrot.org/ ?

On Thu, Nov 19, 2015 at 3:50 AM, Damien Miller <djm at mindrot.org>
wrote:
> Looks like the list server ate the attachements - could you attach them
> to a bug on https://bugzilla.mindrot.org/ ?
Welp. My Bad.

I've created: https://bugzilla.mindrot.org/show_bug.cgi?id=2501


-- 
/ciao, thorduri.