search for: sshfp

In the current implementation, ssh always uses the hostname supplied by the user directly for the SSHFP DNS record lookup. This causes problems when using the domain search path, e.g. I have "search example.com" in my resolv.conf and then do a "ssh host", I will connect to host.example.com, but ssh will query the DNS for an SSHFP record of "host.", not "host.exampl...

https://bugzilla.mindrot.org/show_bug.cgi?id=2040 Priority: P5 Bug ID: 2040 Assignee: unassigned-bugs at mindrot.org Summary: Downgrade attack vulnerability when checking SSHFP records Severity: minor Classification: Unclassified OS: All Reporter: ondrej at caletka.cz Hardware: All Status: NEW Version: 6.1p1 Component: ssh Product: Portable OpenSSH Created att...

Steps to reproduce: 1. Run a SSH server with default configuration and point a domain to it. 2. Add SSHFP record to the domain, but only for Ed25519 key. 3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest of settings set to defaults. 4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection because there is no ECDSA fingerprint in SSHFP records. A stopgap solution is to...

Hi, I was sure I sent this to openssh at openssh.com, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list. I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record. The I-D is here: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2 (and the source XML here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/draft-os-ietf-sshfp-ecdsa-sha2-00.xml) The patch to vanilla 5.8 here: https://git.nic.cz/redmine/...

Well, known_hosts isn't exactly trusted input, since it's usually composed of the keys you first encounter, without any additional checking, as opposed to (hopefully) correctly signed SSHFP records. On Sat, Feb 23, 2019 at 10:22 PM Peter Stuge <peter at stuge.se> wrote: > > Yegor Ievlev wrote: > > > I think it's a very bad idea to have the client start treating foreign > > > network input as equivalent to local configuration. > > > > Well...

Hello. Subramanian Moonesamy has gotten the ball rolling to include Ed25519 in IANA's registry for SSHFP key types [1]. I've opened a bug report [2] that includes a patch that adds the needed support code and provisionally assigns Ed25519 a value of 4 (values 1,2,3 reserved for RSA, DSA, and ECDA, respectively) [3]. The enhancement request/bug is meant to keep the issue on the radar. --mancha...

hi folks: it looks like ssh-keygen -r can''t export SSHFP records for ECDSA keys: 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P '''' 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub export_dns_rr: unsupported algorithm 0 dkg@pip:/tmp/cdtemp.oiRYAS$ the first number in my prompt is the return code of th...

https://bugzilla.mindrot.org/show_bug.cgi?id=2223 Bug ID: 2223 Summary: Ed25519 support in SSHFP DNS resource records Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org...

https://bugzilla.mindrot.org/show_bug.cgi?id=2041 Priority: P5 Bug ID: 2041 Assignee: unassigned-bugs at mindrot.org Summary: Check for SSHFP when certificate is offered. Severity: enhancement Classification: Unclassified OS: All Reporter: ondrej at caletka.cz Hardware: All Status: NEW Version: 6.1p1 Component: ssh Product: Portable OpenSSH Crea...

Well, SSHFP is supposed to only be used on DNSSEC-enabled domains. On Sat, Feb 23, 2019 at 9:59 PM Peter Stuge <peter at stuge.se> wrote: > > Yegor Ievlev wrote: > > It would make more sense to treat SSHFP records in the same way as > > known_hosts > > I disagree with that - know...

...s for your client to ignore it. On Sat, Feb 23, 2019 at 11:49 AM Damien Miller <djm at mindrot.org> wrote: > > On Fri, 22 Feb 2019, Yegor Ievlev wrote: > > > Steps to reproduce: > > 1. Run a SSH server with default configuration and point a domain to it. > > 2. Add SSHFP record to the domain, but only for Ed25519 key. > > 3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest > > of settings set to defaults. > > 4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection > > because there is no ECDSA fingerprint in S...

Hi, is it possible to use SSHFP DNS records to enable password-free host-based login? What I already got working is to use SSHFP DNS records to verify the server host keys. debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS But hostbased login does not work and I still need to supply...

Hi, I found a small issue with DNSSEC validation of SSHFP lookups. (For reference I used OpenSSH 6.8p1 on FreeBSD 10.1). The issues is that when DNSSEC valiation fails, ssh displays a confusing message to the user. When DNSSEC validation of a SSHFP record fails, ssh presents the user with "Matching host key fingerprint found in DNS. "Are you su...

Greetings. I've set up several sshfp records some time ago. Everything works great except the way openssh chooses the sshfp record. Now it looks liek the client asks for the name supplied on the command line. It might be a bit trouble some since there are at least three ways to set up some aliases and at leas one of them is secure....

...CC| |daniel.black at ovee.com.au Keywords| |openbsd, patch --- Comment #2 from Daniel Black <daniel.black at ovee.com.au> --- ecdsa fingerprints now standardised rfc6594 and registered http://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xml Patch: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/ssh-sshfp-ecdsa.patch If that doesn't work your openssl doesn't have ecc support due to patent distribution restrictions. -- You are receiving this mail because...

Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha

Hi All, I've been working on a diff to get SSHFP support for ed25519 in OpenSSH. SM has been working through the IETF process to obtain the SSHFP RR Type number. Despite getting "rough consensus", we still haven't heard anything from the IETF Security Directors for the draft. SM sent a mail asking why it is taking so long, and it...

...StrictDnssecChecking, determines whether or not an untrusted response is treated as a failure, or if the result is returned with a warning. In addition to adding local validation, a new setting, oAutoAnswerValidatedKeys, allows the user to automatically accept new keys which match DNSSEC-validated SSHFP records. The default for this new option is off, so even if the record matches, the user will still be asked to confirm before connecting. The patch is here: https://bugzilla.mindrot.org/show_bug.cgi?id=1672 I dug up some test cases and output from my archives. These show the results seen when...

Y'all, Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP RR is missing from the result set (rather then being empty), which can lead to confusing error messages, (the "normal" warn_changed_key() blurb is emitted) e.g. when the presented host key and known hosts both match but there is no matching RR. Further, if VerifyHostKeyDNS and StrictHost...

https://bugzilla.mindrot.org/show_bug.cgi?id=2708 Bug ID: 2708 Summary: openssh: 7.5p1 update breaks ldns/sshfp Product: Portable OpenSSH Version: 7.5p1 Hardware: Other OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mindrot10 at...