search for: sshfp

Displaying 20 results from an estimated 80 matches for "sshfp".

Did you mean: sshfs
2010 Nov 28
2
[PATCH] Use canonical hostname for DNS SSHFP lookup
In the current implementation, ssh always uses the hostname supplied by the user directly for the SSHFP DNS record lookup. This causes problems when using the domain search path, e.g. I have "search example.com" in my resolv.conf and then do a "ssh host", I will connect to host.example.com, but ssh will query the DNS for an SSHFP record of "host.", not "host.exampl...
2012 Aug 31
9
[Bug 2040] New: Downgrade attack vulnerability when checking SSHFP records
https://bugzilla.mindrot.org/show_bug.cgi?id=2040 Priority: P5 Bug ID: 2040 Assignee: unassigned-bugs at mindrot.org Summary: Downgrade attack vulnerability when checking SSHFP records Severity: minor Classification: Unclassified OS: All Reporter: ondrej at caletka.cz Hardware: All Status: NEW Version: 6.1p1 Component: ssh Product: Portable OpenSSH Created att...
2019 Feb 22
4
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Steps to reproduce: 1. Run a SSH server with default configuration and point a domain to it. 2. Add SSHFP record to the domain, but only for Ed25519 key. 3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest of settings set to defaults. 4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection because there is no ECDSA fingerprint in SSHFP records. A stopgap solution is to...
2011 Jul 28
1
Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Hi, I was sure I sent this to openssh at openssh.com, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list. I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record. The I-D is here: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2 (and the source XML here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/draft-os-ietf-sshfp-ecdsa-sha2-00.xml) The patch to vanilla 5.8 here: https://git.nic.cz/redmine/...
2019 Feb 23
3
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Well, known_hosts isn't exactly trusted input, since it's usually composed of the keys you first encounter, without any additional checking, as opposed to (hopefully) correctly signed SSHFP records. On Sat, Feb 23, 2019 at 10:22 PM Peter Stuge <peter at stuge.se> wrote: > > Yegor Ievlev wrote: > > > I think it's a very bad idea to have the client start treating foreign > > > network input as equivalent to local configuration. > > > > Well...
2014 Apr 07
1
Ed25519 keys in SSHFP RRs
Hello. Subramanian Moonesamy has gotten the ball rolling to include Ed25519 in IANA's registry for SSHFP key types [1]. I've opened a bug report [2] that includes a patch that adds the needed support code and provisionally assigns Ed25519 a value of 4 (values 1,2,3 reserved for RSA, DSA, and ECDA, respectively) [3]. The enhancement request/bug is meant to keep the issue on the radar. --mancha...
2011 Nov 21
3
ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
hi folks: it looks like ssh-keygen -r can''t export SSHFP records for ECDSA keys: 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P '''' 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub export_dns_rr: unsupported algorithm 0 dkg@pip:/tmp/cdtemp.oiRYAS$ the first number in my prompt is the return code of th...
2024 Jun 05
1
[Bug 3698] New: SSHFP validation fails when multiple keys of the same type are found in DNS
https://bugzilla.mindrot.org/show_bug.cgi?id=3698 Bug ID: 3698 Summary: SSHFP validation fails when multiple keys of the same type are found in DNS Product: Portable OpenSSH Version: 8.7p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh...
2014 Apr 07
4
[Bug 2223] New: Ed25519 support in SSHFP DNS resource records
https://bugzilla.mindrot.org/show_bug.cgi?id=2223 Bug ID: 2223 Summary: Ed25519 support in SSHFP DNS resource records Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org...
2012 Aug 31
1
[Bug 2041] New: Check for SSHFP when certificate is offered.
https://bugzilla.mindrot.org/show_bug.cgi?id=2041 Priority: P5 Bug ID: 2041 Assignee: unassigned-bugs at mindrot.org Summary: Check for SSHFP when certificate is offered. Severity: enhancement Classification: Unclassified OS: All Reporter: ondrej at caletka.cz Hardware: All Status: NEW Version: 6.1p1 Component: ssh Product: Portable OpenSSH Crea...
2019 Feb 23
2
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Well, SSHFP is supposed to only be used on DNSSEC-enabled domains. On Sat, Feb 23, 2019 at 9:59 PM Peter Stuge <peter at stuge.se> wrote: > > Yegor Ievlev wrote: > > It would make more sense to treat SSHFP records in the same way as > > known_hosts > > I disagree with that - know...
2019 Feb 23
2
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
...s for your client to ignore it. On Sat, Feb 23, 2019 at 11:49 AM Damien Miller <djm at mindrot.org> wrote: > > On Fri, 22 Feb 2019, Yegor Ievlev wrote: > > > Steps to reproduce: > > 1. Run a SSH server with default configuration and point a domain to it. > > 2. Add SSHFP record to the domain, but only for Ed25519 key. > > 3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest > > of settings set to defaults. > > 4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection > > because there is no ECDSA fingerprint in S...
2008 Oct 17
1
Hostbased login based on SSHFP DNS records?
Hi, is it possible to use SSHFP DNS records to enable password-free host-based login? What I already got working is to use SSHFP DNS records to verify the server host keys. debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS But hostbased login does not work and I still need to supply...
2015 Jun 22
2
Small issue with DNSSEC / SSHFP
Hi, I found a small issue with DNSSEC validation of SSHFP lookups. (For reference I used OpenSSH 6.8p1 on FreeBSD 10.1). The issues is that when DNSSEC valiation fails, ssh displays a confusing message to the user. When DNSSEC validation of a SSHFP record fails, ssh presents the user with "Matching host key fingerprint found in DNS. "Are you su...
2008 Aug 07
0
choose the right sshfp
Greetings. I've set up several sshfp records some time ago. Everything works great except the way openssh chooses the sshfp record. Now it looks liek the client asks for the name supplied on the command line. It might be a bit trouble some since there are at least three ways to set up some aliases and at leas one of them is secure....
2012 Jul 17
1
[Bug 1972] ssh-keygen fails to generate SSHFP for ECDSA but exits with 0 code
...CC| |daniel.black at ovee.com.au Keywords| |openbsd, patch --- Comment #2 from Daniel Black <daniel.black at ovee.com.au> --- ecdsa fingerprints now standardised rfc6594 and registered http://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xml Patch: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/ssh-sshfp-ecdsa.patch If that doesn't work your openssl doesn't have ecc support due to patent distribution restrictions. -- You are receiving this mail because...
2014 Mar 26
1
SSHFP issue
Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha
2014 Apr 09
2
ED25519 SSHFP in OpenSSH & IETF
Hi All, I've been working on a diff to get SSHFP support for ed25519 in OpenSSH. SM has been working through the IETF process to obtain the SSHFP RR Type number. Despite getting "rough consensus", we still haven't heard anything from the IETF Security Directors for the draft. SM sent a mail asking why it is taking so long, and it...
2011 Jul 20
1
auto-accept keys matching DNSSEC-validated SSHFP records
...StrictDnssecChecking, determines whether or not an untrusted response is treated as a failure, or if the result is returned with a warning. In addition to adding local validation, a new setting, oAutoAnswerValidatedKeys, allows the user to automatically accept new keys which match DNSSEC-validated SSHFP records. The default for this new option is off, so even if the record matches, the user will still be asked to confirm before connecting. The patch is here: https://bugzilla.mindrot.org/show_bug.cgi?id=1672 I dug up some test cases and output from my archives. These show the results seen when...
2015 Nov 18
2
Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking
Y'all, Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP RR is missing from the result set (rather then being empty), which can lead to confusing error messages, (the "normal" warn_changed_key() blurb is emitted) e.g. when the presented host key and known hosts both match but there is no matching RR. Further, if VerifyHostKeyDNS and StrictHost...