search for: verify_host_key_dn

Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha

...cthostkeychecking", oStrictHostKeyChecking }, + { "serverlieswarning", oServerLiesWarning }, { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, @@ -402,6 +403,10 @@ intptr = &options->verify_host_key_dns; goto parse_flag; + case oServerLiesWarning: + intptr = &options->server_lies_warning; + goto parse_flag; + case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; arg = strdelim(&s); @@ -856,6 +861,7 @@ options->no_host_authentication_for_lo...

...e notes for 7.6 release notes indicate that the fix patch was included: https://www.openssh.com/txt/release-7.6 I tried 7.6 and I still cannot connect without a prompt wondering if I am really sure. ----------------- 7.4p1 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<snip> debug3: verify_host_key_dns debug2: ldns: got 1 answers from DNS debug1: found 1 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug1: Next authentication method: publickey debug1: Offering RSA public key: ~/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 535 debug1: Authentica...

Hi, we're currently considering making use of RFC4255 SSHFP records, but are hitting a problem with a 4.4p1 client running on Tru64 5.1A: [...] debug3: verify_host_key_dns DNS lookup error: out of memory [...] No matching host key fingerprint found in DNS. A 4.3p2 linux client gives the following : [...] debug3: verify_host_key_dns debug1: found 1 insecure fingerprints in DNS debug1: matching host key fingerprint found in DNS [...] Matching host key fingerprint fou...

...st the latest snapshot of the portable OpenSSH version. Sorry if this causes any inconvenience. Regards, Jan diff -ur openssh/dns.c openssh-sshfp/dns.c --- openssh/dns.c 2010-08-31 14:41:14.000000000 +0200 +++ openssh-sshfp/dns.c 2010-11-27 23:36:30.775455403 +0100 @@ -173,7 +173,7 @@ */ int verify_host_key_dns(const char *hostname, struct sockaddr *address, - Key *hostkey, int *flags) + Key *hostkey, int *flags, const char *canohost) { u_int counter; int result; @@ -200,7 +200,7 @@ return -1; } - result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, + result = getrrsetbyname(canohost, D...

...n established. <snip> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6p1 Debian-0ubuntu1 debug1: match: OpenSSH_5.6p1 Debian-0ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.6 <snip> debug3: verify_host_key_dns debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug2: bits set: 522/1024 debug1: ssh_rsa_verify: signature correct <snip> debug1: Next authentication method: password karl at dsectest.corp.slide.com's password: karl at slap1:~/openssh-5.6...

...ions->group_private_key; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -859,6 +864,7 @@ options->no_host_authentication_for_localhost = - 1; options->rekey_limit = - 1; options->verify_host_key_dns = -1; + options->group_private_key = -1; } /* @@ -973,6 +979,8 @@ options->rekey_limit = 0; if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; + if (options->group_private_key == -1) + options->group_private_key = 0; /* options->proxy_comm...

When connecting to a host that provides an ECDSA host key and the client has "VerifyHostKeyDNS" set to 'yes' or 'ask' SSH outputs a mysterious and undocumented message "Error calculating host key fingerprint." This error actually seems to be generated by verify_host_key_dns(const char *hostname, struct sockaddr *address, Key *hostkey, int *flags) in dns.c, but neither that fact nor the reason for the error is mentioned in the manual. Is it possible to refine the error message so it is more clear what's going on or to punt and note it in the man pages? This may b...

...(msg1), - "\nbut keys of different type are already" - " known for this host."); - else - snprintf(msg1, sizeof(msg1), "."); - /* The default */ - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - msg2[0] = '\0'; - if (options.verify_host_key_dns) { - if (matching_host_key_dns) - snprintf(msg2, sizeof(msg2), - "Matching host key fingerprint" - " found in DNS.\n"); - else - snprintf(msg2, sizeof(msg2), - "No matching host key fingerprint" - " found in DNS.\n&qu...

...nt matching_host_key_dns = 0; +static int dns_secure = 0; static pid_t proxy_command_pid = 0; @@ -972,13 +973,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, fatal("%s: sshkey_fingerprint fail", __func__); msg2[0] = '\0'; if (options.verify_host_key_dns) { - if (matching_host_key_dns) + if (!matching_host_key_dns) snprintf(msg2, sizeof(msg2), - "Matching host key fingerprint" + "No matching host key fingerprint" " found in DNS.\n"); + else if (!dns_secure) + snprintf(msg2,...

...@@ -84,6 +84,7 @@ char *user_hostfile2; char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ + char *bind_port; /* local socket source port for connection to sshd */ char *smartcard_device; /* Smartcard reader device */ int verify_host_key_dns; /* Verify host key using DNS */ diff -ruN a/ssh.c b/ssh.c --- a/ssh.c 2009-02-14 06:28:21.000000000 +0100 +++ b/ssh.c 2009-07-09 18:35:12.000000000 +0200 @@ -179,10 +179,11 @@ usage(void) { fprintf(stderr, -"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n&quo...

...char *bind_addresses[SSH_MAX_BIND_ADDRESSES]; /* local socket address list for connection to sshd, main reason for this is ipv4 and ipv6 only hosts, when using global host match */ + u_int num_bind_address; /* count of bind_addresses */ + char *pkcs11_provider; /* PKCS#11 provider */ int verify_host_key_dns; /* Verify host key using DNS */ diff -rupN orig/openssh-5.9p1/ssh.c openssh-5.9p1/ssh.c --- orig/openssh-5.9p1/ssh.c 2011-08-05 23:18:16.000000000 +0300 +++ openssh-5.9p1/ssh.c 2012-02-12 15:41:39.446044903 +0200 @@ -595,7 +595,8 @@ main(int ac, char **av) options.control_path = xstrdup(opta...

...rt//readconf.h 2011-07-17 19:23:57.797387390 +0100 @@ -89,6 +89,7 @@ typedef struct { char *user_hostfile2; char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ + char *bind_port; char *pkcs11_provider; /* PKCS#11 provider */ int verify_host_key_dns; /* Verify host key using DNS */ diff -rupN openssh-5.8p2//ssh.0 openssh-5.8p2-srcport//ssh.0 --- openssh-5.8p2//ssh.0 2011-05-05 02:58:10.000000000 +0100 +++ openssh-5.8p2-srcport//ssh.0 2011-07-17 21:00:05.153358189 +0100 @@ -4,7 +4,7 @@ NAME ssh - OpenSSH SSH client (remote login program...

Dear OpenSSH Developers, I'm a member of the Debian System Administration (DSA) team. [1] We manage the Debian Projects computing infrastructure. Recently, DSA had the opportunity to address a member's request that we begin using certificates to authenticate Debian Project machines to ssh clients. We provided a lengthy reply, the summary of which is "we publish SSHFP records; use

...Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: grawity at gmail.com The ldns DNS resolver, as used by openbsd-compat/getrrsetbyname-ldns.c, always fails to verify the DNSSEC signatures: debug3: verify_host_key_dns debug2: ldns: got 6 answers from DNS debug2: ldns: trying to validate RRset debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS debug2: ldns: RRset validation failed: General LDNS error debug1: found 6 insecure fingerprints in DNS The problem is that ldns is not being given any trust anchor, so...

http://bugzilla.mindrot.org/show_bug.cgi?id=910 mindrot at askneil.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mindrot at askneil.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the

Hi, I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with FIPS 140-2 OpenSSL. These are based on previously reported patches by Steve Marquess <marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>, for ver. OpenSSH 3.8. Note that these patches are NOT OFFICIAL, and MAY be used freely by anyone. Issues [partially] handled: SSL FIPS Self test. RC4,

...mp; host_key->cert != NULL) { + Key *ca_key; + int verified; + + ca_key = key_load_public(options.ca_key_file, NULL); + if (ca_key != NULL) { + verified = cert_verify(host_key->cert, ca_key, host_key, NULL); + key_free(ca_key); + if (verified) + return 0; + } + } if (options.verify_host_key_dns && verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { Index: sshconnect2.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v retrieving revision 1.162 diff -u -r1.162 sshconnect2.c --- sshconnect2.c 30 Au...

Hello! I'm hoping that Gmail won't HTML format this mail so that I'll get flamed :) Anyway, my question relates to ssh_config. The problem I find is that the Host pattern is only applied to the argument given on the command line, as outlined in the man page: "The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name