On Wed, 18 Nov 2015, Thordur I. Bjornsson wrote: > Y'all, > > Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP > RR is missing > from the result set (rather then being empty), which can lead to > confusing error messages, > (the "normal" warn_changed_key() blurb is emitted) e.g. when the > presented host key and > known hosts both match but there is no matching RR. > > Further, if VerifyHostKeyDNS and StrictHostKeyChecking are set, there > is no prompting for > confirmation if the connection should be allowed to proceed; I'm > unsure if this is by design > or not (as presented host key and known host key match), but I'd argue > this violates POLA. > > Attached are two naïve patches to portable (cloned from > anongit@xxxxxxxxxxx) that attempt > to tackle the above. Looks like the list server ate the attachements - could you attach them to a bug on https://bugzilla.mindrot.org/ ? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev