Re: Small issue with DNSSEC / SSHFP

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Quoting Philip Homburg <pch-openssh@xxxxxxxxxxxxxx>:

> Hi,
> 
> I found a small issue with DNSSEC validation of SSHFP lookups. (For
> reference
> I used OpenSSH 6.8p1 on FreeBSD 10.1).
> 
> The issues is that when DNSSEC valiation fails, ssh displays a confusing
> message to the user. When DNSSEC validation of a SSHFP record fails, ssh
> presents the user with
> "Matching host key fingerprint found in DNS.
> "Are you sure you want to continue connecting (yes/no)?

That's not the only confusing one.  I ran into another confusing error message
on some of my 6.6 clients when connecting to hosts which had published a full
set of SSHFPs (types 1 and 4 anyway, with both hash records for each of
those).  It was something vague like "Error calculating host key fingerprint"
with no mention of an unsupported SSHFP record.

Even though Curve25519 support was in those older versions, I guess the
support for the Ed25519 algorithm in SSHFPs lagged them by quite a while.  I
don't use algorithms 2 or 3 since none of my SSHDs are configured to support them.

It's probably of minor importance, since DNS fingerprinting is not the best
primary mechanism to verify a server's host key fingerprint.

=R=
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux