From owner-svn-ports-head@freebsd.org Sat Apr 7 01:12:16 2018 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4DFEEF96FD8; Sat, 7 Apr 2018 01:12:16 +0000 (UTC) (envelope-from leres@freebsd.org) Received: from xse.com (xse.com [IPv6:2607:f2f8:abb8::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "xse.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D08907FB7B; Sat, 7 Apr 2018 01:12:15 +0000 (UTC) (envelope-from leres@freebsd.org) Received-SPF: pass (dot.xse.com: authenticated connection) receiver=dot.xse.com; client-ip=2001:558:6045:10:9084:9e0:4b6d:eb99; helo=ice.ee.lbl.gov; envelope-from=leres@freebsd.org; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.10; Received: from ice.ee.lbl.gov (ice.xse.com [IPv6:2001:558:6045:10:9084:9e0:4b6d:eb99]) (authenticated bits=0) by dot.xse.com (8.15.2/8.15.2) with ESMTPSA id w371CDnb037035 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 6 Apr 2018 18:12:14 -0700 (PDT) (envelope-from leres@freebsd.org) X-Authentication-Warning: dot.xse.com: Host ice.xse.com [IPv6:2001:558:6045:10:9084:9e0:4b6d:eb99] claimed to be ice.ee.lbl.gov Subject: Re: svn commit: r466577 - in head/security/openssh-portable: . files To: Bryan Drewery , ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org References: <201804051820.w35IKpi2062956@repo.freebsd.org> From: Craig Leres Message-ID: <295c901e-d369-fe1b-4f6b-cff59098e166@freebsd.org> Date: Fri, 6 Apr 2018 18:12:13 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <201804051820.w35IKpi2062956@repo.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.99.4 at dot.xse.com X-Virus-Status: Clean X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Apr 2018 01:12:16 -0000 On 04/05/18 11:20, Bryan Drewery wrote: > Log: > Update to 7.7p1 This version breaks sshfp support when you don't use the fully qualified domain name with "VerifyHostKeyDNS yes". Here's 7.6.p1_3,1: hot 7 % ssh -v zinc [...] debug1: found 8 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS Here's 7.7.p1,1: vet 17 % ssh -v zinc [...] DNS lookup error: general failure No ECDSA host key is known for zinc and you have requested strict checking. Host key verification failed. It works as with the previous version if I use zinc.ee.lbl.gov. Looking at the release notes I see: ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. I'm guessing this inadvertently broke non FQDN sshfp? Craig