similar to: [Bug 1296] VerifyHostKeyDNS default domain

Displaying 20 results from an estimated 10000 matches similar to: "[Bug 1296] VerifyHostKeyDNS default domain"

2014 Apr 16
0
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296 Christoph Lechleitner <christoph.lechleitner at iteg.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |christoph.lechleitner at iteg. | |at --- Comment
2014 Jan 03
1
VisualHostKey vs. RekeyLimit vs. VerifyHostKeyDNS
Hello list, I'm not sure whether this is bug worthy or just my own insanity. I'm using 6.4p1 packages from Debian jessie and wheezy-backports. I like VisualHostKey, although it may not add any protection (other than not trusting ones own known_hosts file?), I've become accustomed to it as it seems that extra neurons fire when I log into a host and get a visual cue of what looks like
2015 Nov 18
2
Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking
Y'all, Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP RR is missing from the result set (rather then being empty), which can lead to confusing error messages, (the "normal" warn_changed_key() blurb is emitted) e.g. when the presented host key and known hosts both match but there is no matching RR. Further, if VerifyHostKeyDNS and StrictHostKeyChecking are
2010 Nov 04
0
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296 Karl P <barnaclebob at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |barnaclebob at gmail.com Version|5.1p1 |5.6p1 Status|CLOSED
2015 Nov 19
27
[Bug 2501] New: VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501 Bug ID: 2501 Summary: VerifyHostKeyDNS & StrictHostKeyChecking Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org
2019 Feb 22
4
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Steps to reproduce: 1. Run a SSH server with default configuration and point a domain to it. 2. Add SSHFP record to the domain, but only for Ed25519 key. 3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest of settings set to defaults. 4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection because there is no ECDSA fingerprint in SSHFP records. A stopgap solution
2010 Aug 09
1
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution|
2011 May 23
0
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #5 from Damien Miller <djm at
2024 Jun 05
1
[Bug 3698] New: SSHFP validation fails when multiple keys of the same type are found in DNS
https://bugzilla.mindrot.org/show_bug.cgi?id=3698 Bug ID: 3698 Summary: SSHFP validation fails when multiple keys of the same type are found in DNS Product: Portable OpenSSH Version: 8.7p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh
2012 Aug 31
9
[Bug 2040] New: Downgrade attack vulnerability when checking SSHFP records
https://bugzilla.mindrot.org/show_bug.cgi?id=2040 Priority: P5 Bug ID: 2040 Assignee: unassigned-bugs at mindrot.org Summary: Downgrade attack vulnerability when checking SSHFP records Severity: minor Classification: Unclassified OS: All Reporter: ondrej at caletka.cz Hardware: All
2019 Feb 23
2
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
The reason why this is a bug is, for example, that if the server was updated and it re-generated the ECDSA key you deleted, you would have to do some non-obvious steps for your client to ignore it. On Sat, Feb 23, 2019 at 11:49 AM Damien Miller <djm at mindrot.org> wrote: > > On Fri, 22 Feb 2019, Yegor Ievlev wrote: > > > Steps to reproduce: > > 1. Run a SSH server with
2023 Mar 15
0
Announce: OpenSSH 9.3 released
OpenSSH 9.3 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested
2009 Jun 29
2
openbsd-compat/getrrsetbyname.c: answer buffer size too large for EDNS0 and glibc
Hello. I have an issue with SSHFP lookups using "VerifyHostKeyDNS=yes" and "options edns0" in /etc/resolv.conf (glib >= 2.6). getrrsetbyname() calls res_query() with a maximum buffer size of 65536. The glibc resolver truncates this value to 16 bits, reducing the query's advertised buffer size to 0. BIND appears to ignore it while Unbound returns a server failure.
2012 Jan 04
0
ECDSA, SSHFP, and "Error calculating host key fingerprint."
When connecting to a host that provides an ECDSA host key and the client has "VerifyHostKeyDNS" set to 'yes' or 'ask' SSH outputs a mysterious and undocumented message "Error calculating host key fingerprint." This error actually seems to be generated by verify_host_key_dns(const char *hostname, struct sockaddr *address, Key *hostkey, int *flags) in dns.c, but
2015 Jun 22
2
Small issue with DNSSEC / SSHFP
Hi, I found a small issue with DNSSEC validation of SSHFP lookups. (For reference I used OpenSSH 6.8p1 on FreeBSD 10.1). The issues is that when DNSSEC valiation fails, ssh displays a confusing message to the user. When DNSSEC validation of a SSHFP record fails, ssh presents the user with "Matching host key fingerprint found in DNS. "Are you sure you want to continue connecting
2003 Nov 13
0
sshfp (ssh+dns) code updated
hi, I recently committed an update of the code that handles lookup of SSHFP resource records in DNS. this code is now included by default, the old DNS and DNSSEC defines has been removed. for more information, read about VerifyHostKeyDNS in ssh_config(5) and check out README.dns. feedback would be appreciated, jakob
2007 May 22
3
[Bug 1317] New: ssh uses obsolete SIG RRtype
http://bugzilla.mindrot.org/show_bug.cgi?id=1317 Summary: ssh uses obsolete SIG RRtype Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: svallet at
2012 Feb 07
11
[Bug 1978] New: ECDSA & SHA256 support in SSHFS DNS records
https://bugzilla.mindrot.org/show_bug.cgi?id=1978 Bug #: 1978 Summary: ECDSA & SHA256 support in SSHFS DNS records Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All URL: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa- sha2-07 OS/Version: All
2012 May 09
4
feature request: modify getrrsetbyname() to use libunbound
Dear OpenSSH Developers, I'm a member of the Debian System Administration (DSA) team. [1] We manage the Debian Projects computing infrastructure. Recently, DSA had the opportunity to address a member's request that we begin using certificates to authenticate Debian Project machines to ssh clients. We provided a lengthy reply, the summary of which is "we publish SSHFP records; use
2014 Oct 06
0
Announce: OpenSSH 6.7 released
OpenSSH 6.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,