Date: Fri, 6 Apr 2018 18:12:13 -0700 From: Craig Leres <leres@freebsd.org> To: Bryan Drewery <bdrewery@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r466577 - in head/security/openssh-portable: . files Message-ID: <295c901e-d369-fe1b-4f6b-cff59098e166@freebsd.org> In-Reply-To: <201804051820.w35IKpi2062956@repo.freebsd.org> References: <201804051820.w35IKpi2062956@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/05/18 11:20, Bryan Drewery wrote:
> Log:
> Update to 7.7p1
This version breaks sshfp support when you don't use the fully qualified
domain name with "VerifyHostKeyDNS yes". Here's 7.6.p1_3,1:
hot 7 % ssh -v zinc
[...]
debug1: found 8 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
Here's 7.7.p1,1:
vet 17 % ssh -v zinc
[...]
DNS lookup error: general failure
No ECDSA host key is known for zinc and you have requested strict
checking.
Host key verification failed.
It works as with the previous version if I use zinc.ee.lbl.gov.
Looking at the release notes I see:
ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
convert any certificate keys to plain keys and attempt SSHFP
resolution. Prevents a server from skipping SSHFP lookup and
forcing a new-hostkey dialog by offering only certificate keys.
I'm guessing this inadvertently broke non FQDN sshfp?
Craig
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?295c901e-d369-fe1b-4f6b-cff59098e166>