Date: Sun, 06 Sep 2015 20:52:29 +0200 From: Philip Homburg <pch-fbsd@u-1.phicoh.com> To: freebsd-security@freebsd.org Subject: ssh sshfp improvement Message-ID: <m1ZYf3K-0000HdC@stereo.hq.phicoh.net>
next in thread | raw e-mail | index | archive | help
Hi, I'm not sure if this is the right list for this. If it isn't, then please redirect me to the right one. I found three issues with how openssh handles SSHFP records: - If DNSSEC verification fails it displays a (to me) confusing error message 'Matching host key fingerprint found in DNS.' - It trusts resolvers doing DNSSEC validation instead of always doing local validation - It fails to do local validation due to lack of trust anchor. In any case, ldns, which is used for this feature, is not the right tool for the job. So I wrote a patch to use getdns instead. I submitted to patch to the openssh maintainers, but they don't seem to care. As far as I know, FreeBSD is the only system that enables SSHFP validation by default so it makes sense to submit it here as well. I put my code up on github. https://github.com/phicoh/openssh-getdns branch getdns. Philip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m1ZYf3K-0000HdC>