similar to: [Bug 2708] New: openssh: 7.5p1 update breaks ldns/sshfp

Hi, as discussed before, we're trying to make use of SSHFP records (RFC 4255) to publish host key fingerprints in the DNS. However, some non-OpenBSD platforms don't support DNSSEC in the native resolver (e.g. glibc), which renders the whole thing quite useless, since openssh correctly requires the RRs to be signed and validated. The following patch adds support for ldns, an external

https://bugzilla.mindrot.org/show_bug.cgi?id=2697 Bug ID: 2697 Summary: Portable OpenSSH 7.5 can't build with ldns using ldns-config Product: Portable OpenSSH Version: 7.5p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: Build system

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 Bug #: 2022 Summary: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME Classification: Unclassified Product: Portable OpenSSH Version: 6.0p1 Platform: All OS/Version: All Status: NEW Severity: normal

> I replaced the ldns code with getdns. Works fine for more than a year now. > I am interested in how you did that. Would you mind sharing your procedure? > I don't think anybody cares. I tried to tell people. But that had no > effect. > There certainly is not as much talk about it as I would expect there to be.

I have been running openSSH 7.4p1 for a while now. When I upgraded to 7.5 a year or so ago I ran into the problem listed in this bug report: Bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218472 The release notes for 7.6 release notes indicate that the fix patch was included: https://www.openssh.com/txt/release-7.6 I tried 7.6 and I still cannot connect without a prompt wondering

http://bugzilla.mindrot.org/show_bug.cgi?id=1320 Summary: Add support for ldns Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: svallet at

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Patch applied, thanks. I still don't understand how it gets into this state since the space should be allocated immediately beforehand: if (rrset->rri_nsigs > 0) { rrset->rri_sigs = calloc(rrset->rri_nsigs,

https://bugzilla.mindrot.org/show_bug.cgi?id=2022 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release

https://bugzilla.mindrot.org/show_bug.cgi?id=2119 Bug ID: 2119 Summary: SSHFP with DNSSEC ? no trust anchors given, validation always fails Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=2702 Bug ID: 2702 Summary: ssh compiled with --with-ldns segfaults during known_hosts parsing Product: Portable OpenSSH Version: 7.5p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh

https://bugzilla.mindrot.org/show_bug.cgi?id=2603 Bug ID: 2603 Summary: Build with ldns and without kerberos support fails if ldns compiled with kerberos support Product: Portable OpenSSH Version: 7.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5

Hi, I found a small issue with DNSSEC validation of SSHFP lookups. (For reference I used OpenSSH 6.8p1 on FreeBSD 10.1). The issues is that when DNSSEC valiation fails, ssh displays a confusing message to the user. When DNSSEC validation of a SSHFP record fails, ssh presents the user with "Matching host key fingerprint found in DNS. "Are you sure you want to continue connecting

This is an epel package but I thought that I would ask here first. I am encountering unexpected behaviour from this program and I would like to know if it is a bug, or I am configuring something wrong, of if this is intended behaviour. ldns-dane version 1.6.16 (ldns version 1.6.16) When I attempt to specify the entire certificate as the desired data source for this program I get the following

https://bugzilla.mindrot.org/show_bug.cgi?id=3215 Bug ID: 3215 Summary: Reference to ldns.3.dylib is an error Product: Portable OpenSSH Version: 8.4p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: critical Priority: P5 Component: ssh Assignee: unassigned-bugs at

On 10 Oct 2017, at 3.47, Craig Leres <leres at ee.lbl.gov> wrote: > > I use dovecot under FreeBSD 10.3 and build using poudriere. My build server has 12 cores builds typically happen in parallel and I find software that is not parallel make friendly will fail once every month or so. > > Attached is a build log from this afternoon that failed because doveadm-util.o had not

https://bugzilla.mindrot.org/show_bug.cgi?id=2516 Bug ID: 2516 Summary: ssh client shouldn't trust the DNS AD bit blindly Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: security Priority: P5 Component: ssh Assignee: unassigned-bugs at

OpenSSH 9.3 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested

https://bugzilla.mindrot.org/show_bug.cgi?id=1320 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #16 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release

OpenSSH 6.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

OpenSSH 6.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,