Displaying 20 results from an estimated 20 matches for "verify_host_key_dn".
Did you mean:
verify_host_key_dns
2014 Mar 26
1
SSHFP issue
Have you seen this?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
--mancha
2003 Nov 04
0
ServerLiesWarning
...cthostkeychecking", oStrictHostKeyChecking },
+ { "serverlieswarning", oServerLiesWarning },
{ "compression", oCompression },
{ "compressionlevel", oCompressionLevel },
{ "keepalive", oKeepAlives },
@@ -402,6 +403,10 @@
intptr = &options->verify_host_key_dns;
goto parse_flag;
+ case oServerLiesWarning:
+ intptr = &options->server_lies_warning;
+ goto parse_flag;
+
case oStrictHostKeyChecking:
intptr = &options->strict_host_key_checking;
arg = strdelim(&s);
@@ -856,6 +861,7 @@
options->no_host_authentication_for_lo...
2018 Jan 10
4
sshfp/ldns still having issues in 7.6
...e notes for 7.6 release notes indicate that the fix patch was
included: https://www.openssh.com/txt/release-7.6
I tried 7.6 and I still cannot connect without a prompt wondering if I am
really sure.
-----------------
7.4p1
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip>
debug3: verify_host_key_dns
debug2: ldns: got 1 answers from DNS
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ~/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug1: Authentica...
2007 Feb 08
1
"Out of memory" error looking up SSHFP records
Hi,
we're currently considering making use of RFC4255 SSHFP records,
but are hitting a problem with a 4.4p1 client running on Tru64 5.1A:
[...]
debug3: verify_host_key_dns
DNS lookup error: out of memory
[...]
No matching host key fingerprint found in DNS.
A 4.3p2 linux client gives the following :
[...]
debug3: verify_host_key_dns
debug1: found 1 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
[...]
Matching host key fingerprint fou...
2010 Nov 28
2
[PATCH] Use canonical hostname for DNS SSHFP lookup
...st the latest
snapshot of the portable OpenSSH version. Sorry if this causes any
inconvenience.
Regards,
Jan
diff -ur openssh/dns.c openssh-sshfp/dns.c
--- openssh/dns.c 2010-08-31 14:41:14.000000000 +0200
+++ openssh-sshfp/dns.c 2010-11-27 23:36:30.775455403 +0100
@@ -173,7 +173,7 @@
*/
int
verify_host_key_dns(const char *hostname, struct sockaddr *address,
- Key *hostkey, int *flags)
+ Key *hostkey, int *flags, const char *canohost)
{
u_int counter;
int result;
@@ -200,7 +200,7 @@
return -1;
}
- result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
+ result = getrrsetbyname(canohost, D...
2024 Jun 05
1
[Bug 3698] New: SSHFP validation fails when multiple keys of the same type are found in DNS
...ith two different keys of the same algo for the same host.
I will use examples from the original report[1] as they are still
relevant
# example with OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021
ssh -v -o HostKeyAlgorithms=ssh-ed25519 -o VerifyHostKeyDNS=yes
ssh-service.einbeispiel.ch
[...]
debug1: verify_host_key_dns: failed SSHFP type 4 fptype 2
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: mismatching host key fingerprint found in DNS
[...]
No matching host key fingerprint found in DNS.
The bug report is filed for the first version this behavior appeared in
but targets also all future v...
2010 Nov 04
0
[Bug 1296] VerifyHostKeyDNS default domain
...n established.
<snip>
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.6p1 Debian-0ubuntu1
debug1: match: OpenSSH_5.6p1 Debian-0ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
<snip>
debug3: verify_host_key_dns
debug1: found 2 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug2: bits set: 522/1024
debug1: ssh_rsa_verify: signature correct
<snip>
debug1: Next authentication method: password
karl at dsectest.corp.slide.com's password:
karl at slap1:~/openssh-5.6...
2003 Nov 27
2
Question about adding another parameter for OpenSSH
...ions->group_private_key;
+ goto parse_flag;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@@ -859,6 +864,7 @@
options->no_host_authentication_for_localhost = - 1;
options->rekey_limit = - 1;
options->verify_host_key_dns = -1;
+ options->group_private_key = -1;
}
/*
@@ -973,6 +979,8 @@
options->rekey_limit = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+ if (options->group_private_key == -1)
+ options->group_private_key = 0;
/* options->proxy_comm...
2012 Jan 04
0
ECDSA, SSHFP, and "Error calculating host key fingerprint."
When connecting to a host that provides an ECDSA host key and the
client has "VerifyHostKeyDNS" set to 'yes' or 'ask' SSH outputs a
mysterious and undocumented message "Error calculating host key
fingerprint." This error actually seems to be generated by
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Key *hostkey, int *flags) in dns.c, but neither that fact nor the
reason for the error is mentioned in the manual. Is it possible to
refine the error message so it is more clear what's going on or to
punt and note it in the man pages?
This may b...
2006 Feb 04
2
[PATCH] allow user to update changed key in known_hosts
...(msg1),
- "\nbut keys of different type are already"
- " known for this host.");
- else
- snprintf(msg1, sizeof(msg1), ".");
- /* The default */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- msg2[0] = '\0';
- if (options.verify_host_key_dns) {
- if (matching_host_key_dns)
- snprintf(msg2, sizeof(msg2),
- "Matching host key fingerprint"
- " found in DNS.\n");
- else
- snprintf(msg2, sizeof(msg2),
- "No matching host key fingerprint"
- " found in DNS.\n&qu...
2015 Jun 22
2
Small issue with DNSSEC / SSHFP
...nt matching_host_key_dns = 0;
+static int dns_secure = 0;
static pid_t proxy_command_pid = 0;
@@ -972,13 +973,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
fatal("%s: sshkey_fingerprint fail", __func__);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
- if (matching_host_key_dns)
+ if (!matching_host_key_dns)
snprintf(msg2, sizeof(msg2),
- "Matching host key fingerprint"
+ "No matching host key fingerprint"
" found in DNS.\n");
+ else if (!dns_secure)
+ snprintf(msg2,...
2009 Jul 09
0
[PATCH] Allow binding to a local port (OpenSSH 5.2)
...@@ -84,6 +84,7 @@
char *user_hostfile2;
char *preferred_authentications;
char *bind_address; /* local socket address for connection to sshd */
+ char *bind_port; /* local socket source port for connection to sshd */
char *smartcard_device; /* Smartcard reader device */
int verify_host_key_dns; /* Verify host key using DNS */
diff -ruN a/ssh.c b/ssh.c
--- a/ssh.c 2009-02-14 06:28:21.000000000 +0100
+++ b/ssh.c 2009-07-09 18:35:12.000000000 +0200
@@ -179,10 +179,11 @@
usage(void)
{
fprintf(stderr,
-"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n&quo...
2012 Feb 12
0
PATCH: multiple BindAddress
...char *bind_addresses[SSH_MAX_BIND_ADDRESSES]; /* local socket
address list for connection to sshd, main reason for this is ipv4 and
ipv6 only hosts, when using global host match */
+ u_int num_bind_address; /* count of bind_addresses */
+
char *pkcs11_provider; /* PKCS#11 provider */
int verify_host_key_dns; /* Verify host key using DNS */
diff -rupN orig/openssh-5.9p1/ssh.c openssh-5.9p1/ssh.c
--- orig/openssh-5.9p1/ssh.c 2011-08-05 23:18:16.000000000 +0300
+++ openssh-5.9p1/ssh.c 2012-02-12 15:41:39.446044903 +0200
@@ -595,7 +595,8 @@ main(int ac, char **av)
options.control_path = xstrdup(opta...
2011 Jul 17
2
openSSH 5.8p2 BindPort patch
...rt//readconf.h 2011-07-17 19:23:57.797387390 +0100
@@ -89,6 +89,7 @@ typedef struct {
char *user_hostfile2;
char *preferred_authentications;
char *bind_address; /* local socket address for connection to sshd */
+ char *bind_port;
char *pkcs11_provider; /* PKCS#11 provider */
int verify_host_key_dns; /* Verify host key using DNS */
diff -rupN openssh-5.8p2//ssh.0 openssh-5.8p2-srcport//ssh.0
--- openssh-5.8p2//ssh.0 2011-05-05 02:58:10.000000000 +0100
+++ openssh-5.8p2-srcport//ssh.0 2011-07-17 21:00:05.153358189 +0100
@@ -4,7 +4,7 @@ NAME
ssh - OpenSSH SSH client (remote login program...
2012 May 09
4
feature request: modify getrrsetbyname() to use libunbound
Dear OpenSSH Developers,
I'm a member of the Debian System Administration (DSA) team. [1] We
manage the Debian Projects computing infrastructure.
Recently, DSA had the opportunity to address a member's request that we
begin using certificates to authenticate Debian Project machines to ssh
clients. We provided a lengthy reply, the summary of which is "we
publish SSHFP records; use
2013 Jun 09
7
[Bug 2119] New: SSHFP with DNSSEC – no trust anchors given, validation always fails
...Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: grawity at gmail.com
The ldns DNS resolver, as used by openbsd-compat/getrrsetbyname-ldns.c,
always fails to verify the DNSSEC signatures:
debug3: verify_host_key_dns
debug2: ldns: got 6 answers from DNS
debug2: ldns: trying to validate RRset
debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS
debug2: ldns: RRset validation failed: General LDNS error
debug1: found 6 insecure fingerprints in DNS
The problem is that ldns is not being given any trust anchor, so...
2004 Sep 10
11
[Bug 910] known_hosts port numbers
http://bugzilla.mindrot.org/show_bug.cgi?id=910
mindrot at askneil.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mindrot at askneil.com
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
2008 Apr 21
3
FIPS 140-2 OpenSSL(2007) patches
Hi,
I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with
FIPS 140-2 OpenSSL.
These are based on previously reported patches by Steve Marquess
<marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>,
for ver. OpenSSH 3.8.
Note that these patches are NOT OFFICIAL, and MAY be used freely by
anyone.
Issues [partially] handled:
SSL FIPS Self test.
RC4,
2006 Nov 15
11
OpenSSH Certkey (PKI)
...mp; host_key->cert != NULL) {
+ Key *ca_key;
+ int verified;
+
+ ca_key = key_load_public(options.ca_key_file, NULL);
+ if (ca_key != NULL) {
+ verified = cert_verify(host_key->cert, ca_key, host_key, NULL);
+ key_free(ca_key);
+ if (verified)
+ return 0;
+ }
+ }
if (options.verify_host_key_dns &&
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
Index: sshconnect2.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v
retrieving revision 1.162
diff -u -r1.162 sshconnect2.c
--- sshconnect2.c 30 Au...
2013 Oct 07
4
Feature request: FQDN Host match
Hello!
I'm hoping that Gmail won't HTML format this mail so that I'll get flamed :)
Anyway, my question relates to ssh_config. The problem I find is that
the Host pattern is only applied to the argument given on the command
line, as outlined in the man page:
"The host is the hostname argument given on the command line (i.e. the
name is not converted to a canonicalized host name