Displaying 20 results from an estimated 1000 matches similar to: "sshfp/ldns still having issues in 7.6"
2018 Jan 11
3
sshfp/ldns still having issues in 7.6
> I replaced the ldns code with getdns. Works fine for more than a year now.
>
I am interested in how you did that. Would you mind sharing your procedure?
> I don't think anybody cares. I tried to tell people. But that had no
> effect.
>
There certainly is not as much talk about it as I would expect there to be.
2013 Jun 09
7
[Bug 2119] New: SSHFP with DNSSEC – no trust anchors given, validation always fails
https://bugzilla.mindrot.org/show_bug.cgi?id=2119
Bug ID: 2119
Summary: SSHFP with DNSSEC ? no trust anchors given, validation
always fails
Product: Portable OpenSSH
Version: 6.2p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component:
2010 Nov 28
2
[PATCH] Use canonical hostname for DNS SSHFP lookup
In the current implementation, ssh always uses the hostname supplied by
the user directly for the SSHFP DNS record lookup. This causes problems
when using the domain search path, e.g. I have "search example.com" in my
resolv.conf and then do a "ssh host", I will connect to host.example.com,
but ssh will query the DNS for an SSHFP record of "host.", not
2007 Feb 08
1
"Out of memory" error looking up SSHFP records
Hi,
we're currently considering making use of RFC4255 SSHFP records,
but are hitting a problem with a 4.4p1 client running on Tru64 5.1A:
[...]
debug3: verify_host_key_dns
DNS lookup error: out of memory
[...]
No matching host key fingerprint found in DNS.
A 4.3p2 linux client gives the following :
[...]
debug3: verify_host_key_dns
debug1: found 1 insecure fingerprints in DNS
debug1:
2017 Mar 31
10
[Bug 2702] New: ssh compiled with --with-ldns segfaults during known_hosts parsing
https://bugzilla.mindrot.org/show_bug.cgi?id=2702
Bug ID: 2702
Summary: ssh compiled with --with-ldns segfaults during
known_hosts parsing
Product: Portable OpenSSH
Version: 7.5p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
2014 Mar 26
1
SSHFP issue
Have you seen this?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
--mancha
2015 Jun 22
2
Small issue with DNSSEC / SSHFP
Hi,
I found a small issue with DNSSEC validation of SSHFP lookups. (For reference
I used OpenSSH 6.8p1 on FreeBSD 10.1).
The issues is that when DNSSEC valiation fails, ssh displays a confusing
message to the user. When DNSSEC validation of a SSHFP record fails, ssh
presents the user with
"Matching host key fingerprint found in DNS.
"Are you sure you want to continue connecting
2012 Jun 29
2
[Bug 2022] ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
https://bugzilla.mindrot.org/show_bug.cgi?id=2022
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Patch applied, thanks.
I still don't understand how it gets into this state since the space
should be allocated immediately beforehand:
if (rrset->rri_nsigs > 0) {
rrset->rri_sigs = calloc(rrset->rri_nsigs,
2007 May 21
1
[PATCH] Add support for ldns
Hi,
as discussed before, we're trying to make use of SSHFP records (RFC
4255) to publish host key fingerprints in the DNS.
However, some non-OpenBSD platforms don't support DNSSEC in the native
resolver (e.g. glibc), which renders the whole thing quite useless,
since openssh correctly requires the RRs to be signed and validated.
The following patch adds support for ldns, an external
2017 Apr 08
2
[Bug 2708] New: openssh: 7.5p1 update breaks ldns/sshfp
https://bugzilla.mindrot.org/show_bug.cgi?id=2708
Bug ID: 2708
Summary: openssh: 7.5p1 update breaks ldns/sshfp
Product: Portable OpenSSH
Version: 7.5p1
Hardware: Other
OS: FreeBSD
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at
2016 Aug 03
5
[Bug 2603] New: Build with ldns and without kerberos support fails if ldns compiled with kerberos support
https://bugzilla.mindrot.org/show_bug.cgi?id=2603
Bug ID: 2603
Summary: Build with ldns and without kerberos support fails if
ldns compiled with kerberos support
Product: Portable OpenSSH
Version: 7.3p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
2012 May 09
4
feature request: modify getrrsetbyname() to use libunbound
Dear OpenSSH Developers,
I'm a member of the Debian System Administration (DSA) team. [1] We
manage the Debian Projects computing infrastructure.
Recently, DSA had the opportunity to address a member's request that we
begin using certificates to authenticate Debian Project machines to ssh
clients. We provided a lengthy reply, the summary of which is "we
publish SSHFP records; use
2012 Jun 26
2
[Bug 2022] New: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
https://bugzilla.mindrot.org/show_bug.cgi?id=2022
Bug #: 2022
Summary: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled
resolver and a CNAME
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
2015 Dec 11
4
[Bug 2516] New: ssh client shouldn't trust the DNS AD bit blindly
https://bugzilla.mindrot.org/show_bug.cgi?id=2516
Bug ID: 2516
Summary: ssh client shouldn't trust the DNS AD bit blindly
Product: Portable OpenSSH
Version: 7.1p1
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: P5
Component: ssh
Assignee: unassigned-bugs at
2015 Aug 11
0
[Bug 2022] ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
https://bugzilla.mindrot.org/show_bug.cgi?id=2022
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release
2007 Jun 11
20
[Bug 1320] New: Add support for ldns
http://bugzilla.mindrot.org/show_bug.cgi?id=1320
Summary: Add support for ldns
Product: Portable OpenSSH
Version: -current
Platform: Other
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh
AssignedTo: bitbucket at mindrot.org
ReportedBy: svallet at
2012 Jan 04
0
ECDSA, SSHFP, and "Error calculating host key fingerprint."
When connecting to a host that provides an ECDSA host key and the
client has "VerifyHostKeyDNS" set to 'yes' or 'ask' SSH outputs a
mysterious and undocumented message "Error calculating host key
fingerprint." This error actually seems to be generated by
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Key *hostkey, int *flags) in dns.c, but
2012 Aug 31
9
[Bug 2040] New: Downgrade attack vulnerability when checking SSHFP records
https://bugzilla.mindrot.org/show_bug.cgi?id=2040
Priority: P5
Bug ID: 2040
Assignee: unassigned-bugs at mindrot.org
Summary: Downgrade attack vulnerability when checking SSHFP
records
Severity: minor
Classification: Unclassified
OS: All
Reporter: ondrej at caletka.cz
Hardware: All
2019 Feb 23
3
Possible bug: SSH doesn't prefer host keys listed in SSHFP records while connecting.
Well, known_hosts isn't exactly trusted input, since it's usually
composed of the keys you first encounter, without any additional
checking, as opposed to (hopefully) correctly signed SSHFP records.
On Sat, Feb 23, 2019 at 10:22 PM Peter Stuge <peter at stuge.se> wrote:
>
> Yegor Ievlev wrote:
> > > I think it's a very bad idea to have the client start treating
2008 Oct 17
1
Hostbased login based on SSHFP DNS records?
Hi,
is it possible to use SSHFP DNS records to enable password-free host-based login?
What I already got working is to use SSHFP DNS records to verify the server host keys.
debug1: found 2 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
But hostbased login does not work and I still need to supply a password to log in. (Or to configure a known_hosts file on the