Displaying 20 results from an estimated 10000 matches similar to: "[Bug 1296] VerifyHostKeyDNS default domain"
2014 Apr 16
0
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296
Christoph Lechleitner <christoph.lechleitner at iteg.at> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |christoph.lechleitner at iteg.
| |at
--- Comment
2014 Jan 03
1
VisualHostKey vs. RekeyLimit vs. VerifyHostKeyDNS
Hello list, I'm not sure whether this is bug worthy or just my own
insanity. I'm using 6.4p1 packages from Debian jessie and
wheezy-backports.
I like VisualHostKey, although it may not add any protection (other than
not trusting ones own known_hosts file?), I've become accustomed to it
as it seems that extra neurons fire when I log into a host and get a
visual cue of what looks like
2015 Nov 18
2
Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking
Y'all,
Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP
RR is missing
from the result set (rather then being empty), which can lead to
confusing error messages,
(the "normal" warn_changed_key() blurb is emitted) e.g. when the
presented host key and
known hosts both match but there is no matching RR.
Further, if VerifyHostKeyDNS and StrictHostKeyChecking are
2010 Nov 04
0
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296
Karl P <barnaclebob at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |barnaclebob at gmail.com
Version|5.1p1 |5.6p1
Status|CLOSED
2015 Nov 19
27
[Bug 2501] New: VerifyHostKeyDNS & StrictHostKeyChecking
https://bugzilla.mindrot.org/show_bug.cgi?id=2501
Bug ID: 2501
Summary: VerifyHostKeyDNS & StrictHostKeyChecking
Product: Portable OpenSSH
Version: 7.1p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
2019 Feb 22
4
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Steps to reproduce:
1. Run a SSH server with default configuration and point a domain to it.
2. Add SSHFP record to the domain, but only for Ed25519 key.
3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest
of settings set to defaults.
4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection
because there is no ECDSA fingerprint in SSHFP records.
A stopgap solution
2010 Aug 09
1
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Status|NEW |RESOLVED
Resolution|
2011 May 23
0
[Bug 1296] VerifyHostKeyDNS default domain
https://bugzilla.mindrot.org/show_bug.cgi?id=1296
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #5 from Damien Miller <djm at
2024 Jun 05
1
[Bug 3698] New: SSHFP validation fails when multiple keys of the same type are found in DNS
https://bugzilla.mindrot.org/show_bug.cgi?id=3698
Bug ID: 3698
Summary: SSHFP validation fails when multiple keys of the same
type are found in DNS
Product: Portable OpenSSH
Version: 8.7p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
2012 Aug 31
9
[Bug 2040] New: Downgrade attack vulnerability when checking SSHFP records
https://bugzilla.mindrot.org/show_bug.cgi?id=2040
Priority: P5
Bug ID: 2040
Assignee: unassigned-bugs at mindrot.org
Summary: Downgrade attack vulnerability when checking SSHFP
records
Severity: minor
Classification: Unclassified
OS: All
Reporter: ondrej at caletka.cz
Hardware: All
2019 Feb 23
2
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
The reason why this is a bug is, for example, that if the server was
updated and it re-generated the ECDSA key you deleted, you would have
to do some non-obvious steps for your client to ignore it.
On Sat, Feb 23, 2019 at 11:49 AM Damien Miller <djm at mindrot.org> wrote:
>
> On Fri, 22 Feb 2019, Yegor Ievlev wrote:
>
> > Steps to reproduce:
> > 1. Run a SSH server with
2023 Mar 15
0
Announce: OpenSSH 9.3 released
OpenSSH 9.3 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested
2009 Jun 29
2
openbsd-compat/getrrsetbyname.c: answer buffer size too large for EDNS0 and glibc
Hello.
I have an issue with SSHFP lookups using "VerifyHostKeyDNS=yes" and
"options edns0" in /etc/resolv.conf (glib >= 2.6).
getrrsetbyname() calls res_query() with a maximum buffer size of 65536.
The glibc resolver truncates this value to 16 bits, reducing the query's
advertised buffer size to 0.
BIND appears to ignore it while Unbound returns a server failure.
2012 Jan 04
0
ECDSA, SSHFP, and "Error calculating host key fingerprint."
When connecting to a host that provides an ECDSA host key and the
client has "VerifyHostKeyDNS" set to 'yes' or 'ask' SSH outputs a
mysterious and undocumented message "Error calculating host key
fingerprint." This error actually seems to be generated by
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Key *hostkey, int *flags) in dns.c, but
2015 Jun 22
2
Small issue with DNSSEC / SSHFP
Hi,
I found a small issue with DNSSEC validation of SSHFP lookups. (For reference
I used OpenSSH 6.8p1 on FreeBSD 10.1).
The issues is that when DNSSEC valiation fails, ssh displays a confusing
message to the user. When DNSSEC validation of a SSHFP record fails, ssh
presents the user with
"Matching host key fingerprint found in DNS.
"Are you sure you want to continue connecting
2003 Nov 13
0
sshfp (ssh+dns) code updated
hi,
I recently committed an update of the code that handles lookup of SSHFP
resource records in DNS. this code is now included by default, the old DNS
and DNSSEC defines has been removed.
for more information, read about VerifyHostKeyDNS in ssh_config(5) and
check out README.dns.
feedback would be appreciated,
jakob
2007 May 22
3
[Bug 1317] New: ssh uses obsolete SIG RRtype
http://bugzilla.mindrot.org/show_bug.cgi?id=1317
Summary: ssh uses obsolete SIG RRtype
Product: Portable OpenSSH
Version: -current
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: bitbucket at mindrot.org
ReportedBy: svallet at
2012 Feb 07
11
[Bug 1978] New: ECDSA & SHA256 support in SSHFS DNS records
https://bugzilla.mindrot.org/show_bug.cgi?id=1978
Bug #: 1978
Summary: ECDSA & SHA256 support in SSHFS DNS records
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.9p1
Platform: All
URL: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-
sha2-07
OS/Version: All
2012 May 09
4
feature request: modify getrrsetbyname() to use libunbound
Dear OpenSSH Developers,
I'm a member of the Debian System Administration (DSA) team. [1] We
manage the Debian Projects computing infrastructure.
Recently, DSA had the opportunity to address a member's request that we
begin using certificates to authenticate Debian Project machines to ssh
clients. We provided a lengthy reply, the summary of which is "we
publish SSHFP records; use
2014 Oct 06
0
Announce: OpenSSH 6.7 released
OpenSSH 6.7 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches,