Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Y'all,

Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP
RR is missing
from the result set (rather then being empty), which can lead to
confusing error messages,
(the "normal" warn_changed_key() blurb is emitted) e.g. when the
presented host key and
known hosts both match but there is no matching RR.

Further, if VerifyHostKeyDNS and StrictHostKeyChecking are set, there
is no prompting for
confirmation if the connection should be allowed to proceed; I'm
unsure if this is by design
or not (as presented host key and known host key match), but I'd argue
this violates POLA.

Attached are two naïve patches to portable (cloned from
anongit@xxxxxxxxxxx) that attempt
to tackle the above.

-- 
/ciao, thorduri.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux