Displaying 20 results from an estimated 800 matches similar to: "[PATCH] Use canonical hostname for DNS SSHFP lookup"
2014 Mar 26
1
SSHFP issue
Have you seen this?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
--mancha
2015 Jun 22
2
Small issue with DNSSEC / SSHFP
Hi,
I found a small issue with DNSSEC validation of SSHFP lookups. (For reference
I used OpenSSH 6.8p1 on FreeBSD 10.1).
The issues is that when DNSSEC valiation fails, ssh displays a confusing
message to the user. When DNSSEC validation of a SSHFP record fails, ssh
presents the user with
"Matching host key fingerprint found in DNS.
"Are you sure you want to continue connecting
2018 Dec 10
2
[PATCH] cleanup of global variables server/client_version_string in sshconnect.c
In sshconnect.c there are two global variables for server_version_string
client_version_string.
These are used just in a few functions and can easily be passed as
parameters.
Also, there is a strange construct, where their memory is allocated to
the global pointers, then copies of these pointers are assigned to the
kex structure. The kex_free finally frees them via cleanup of the kex
2002 Oct 16
3
ssh-3.5p1 core dumps on Solaris 2.6
Hi,
I've reported this problem a month ago on this list, and probably no-one
is interested? Binaries were configured with krb4 and afs enabled.
However, only the second crash seems to be related to krb4.
Any thoughts?
I had to add one line to includes.h:
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
+#include <sys/ioccom.h>
#include
2012 Aug 31
9
[Bug 2040] New: Downgrade attack vulnerability when checking SSHFP records
https://bugzilla.mindrot.org/show_bug.cgi?id=2040
Priority: P5
Bug ID: 2040
Assignee: unassigned-bugs at mindrot.org
Summary: Downgrade attack vulnerability when checking SSHFP
records
Severity: minor
Classification: Unclassified
OS: All
Reporter: ondrej at caletka.cz
Hardware: All
2020 Feb 06
3
Call for testing: OpenSSH 8.2
On 2020-02-05 at 20:39 -0500, Phil Pennock wrote:
> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a feature release.
>
> > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
> This actually affects me:
2011 Jul 28
1
Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Hi,
I was sure I sent this to openssh at openssh.com, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list.
I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record.
The I-D is here: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2 (and the source XML
2013 Apr 18
9
[PATCH v5 1/2] libxl: Introduce functions to add and remove USB devices to an HVM guest
This patch exposes a generic interface which can be expanded in the
future to implement USB for PVUSB, qemu, and stubdoms. It can also be
extended to include other types of USB other than host USB (for example,
tablets, mice, or keyboards).
For each device removed or added, one of two protocols is available:
* PVUSB
* qemu (DEVICEMODEL)
The caller can additionally specify "AUTO", in
2019 Feb 22
4
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Steps to reproduce:
1. Run a SSH server with default configuration and point a domain to it.
2. Add SSHFP record to the domain, but only for Ed25519 key.
3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest
of settings set to defaults.
4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection
because there is no ECDSA fingerprint in SSHFP records.
A stopgap solution
2014 Apr 07
1
Ed25519 keys in SSHFP RRs
Hello.
Subramanian Moonesamy has gotten the ball rolling to include Ed25519 in
IANA's registry for SSHFP key types [1].
I've opened a bug report [2] that includes a patch that adds the needed
support code and provisionally assigns Ed25519 a value of 4 (values
1,2,3 reserved for RSA, DSA, and ECDA, respectively) [3].
The enhancement request/bug is meant to keep the issue on the radar.
2019 Feb 23
3
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Well, known_hosts isn't exactly trusted input, since it's usually
composed of the keys you first encounter, without any additional
checking, as opposed to (hopefully) correctly signed SSHFP records.
On Sat, Feb 23, 2019 at 10:22 PM Peter Stuge <peter at stuge.se> wrote:
>
> Yegor Ievlev wrote:
> > > I think it's a very bad idea to have the client start treating
2011 Nov 21
3
ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
hi folks:
it looks like ssh-keygen -r can''t export SSHFP records for ECDSA keys:
0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P ''''
0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub
export_dns_rr: unsupported algorithm
0 dkg@pip:/tmp/cdtemp.oiRYAS$
the first number in my prompt is the return code of the last command;
note that
2019 Feb 23
2
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Well, SSHFP is supposed to only be used on DNSSEC-enabled domains.
On Sat, Feb 23, 2019 at 9:59 PM Peter Stuge <peter at stuge.se> wrote:
>
> Yegor Ievlev wrote:
> > It would make more sense to treat SSHFP records in the same way as
> > known_hosts
>
> I disagree with that - known_hosts is nominally a client-local configuration.
>
> I think it's a very bad
2008 Oct 17
1
Hostbased login based on SSHFP DNS records?
Hi,
is it possible to use SSHFP DNS records to enable password-free host-based login?
What I already got working is to use SSHFP DNS records to verify the server host keys.
debug1: found 2 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
But hostbased login does not work and I still need to supply a password to log in. (Or to configure a known_hosts file on the
2019 Feb 23
2
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
The reason why this is a bug is, for example, that if the server was
updated and it re-generated the ECDSA key you deleted, you would have
to do some non-obvious steps for your client to ignore it.
On Sat, Feb 23, 2019 at 11:49 AM Damien Miller <djm at mindrot.org> wrote:
>
> On Fri, 22 Feb 2019, Yegor Ievlev wrote:
>
> > Steps to reproduce:
> > 1. Run a SSH server with
2012 Dec 27
3
[PATCH] hostfile: list known names (if any) for new hostkeys
When connecting to a host for which there's no known hostkey, check if the
relevant key has been accepted for other hostnames. This is useful when
connecting to a host with a dymamic IP address or multiple names.
---
auth.c | 4 ++--
hostfile.c | 42 ++++++++++++++++++++++++++++--------------
hostfile.h | 8 ++++++--
sshconnect.c | 39 +++++++++++++++++++++++++++++++++------
2002 Jan 26
5
[PATCH] Connect timeout
The attached patch adds a new 'ConnectTimeout' option (man page updated
in patch) to avoid wasting time when the target host is down. I needed that
because I was using rsync/rdist over ssh for massive files update and the
default connect() took too long for my purpose.
The patch was tested on Linux only, but I used a similar one for ssh 1.2.XX
on Linux, Solaris and HP-UX without
2014 Apr 07
4
[Bug 2223] New: Ed25519 support in SSHFP DNS resource records
https://bugzilla.mindrot.org/show_bug.cgi?id=2223
Bug ID: 2223
Summary: Ed25519 support in SSHFP DNS resource records
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at
2012 Aug 31
1
[Bug 2041] New: Check for SSHFP when certificate is offered.
https://bugzilla.mindrot.org/show_bug.cgi?id=2041
Priority: P5
Bug ID: 2041
Assignee: unassigned-bugs at mindrot.org
Summary: Check for SSHFP when certificate is offered.
Severity: enhancement
Classification: Unclassified
OS: All
Reporter: ondrej at caletka.cz
Hardware: All
Status: NEW
2012 Feb 07
11
[Bug 1978] New: ECDSA & SHA256 support in SSHFS DNS records
https://bugzilla.mindrot.org/show_bug.cgi?id=1978
Bug #: 1978
Summary: ECDSA & SHA256 support in SSHFS DNS records
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.9p1
Platform: All
URL: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-
sha2-07
OS/Version: All