Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Jan 2024 23:22:21 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 276410] security/openssh-portable: SSHFP/known_hosts issues when HPN is enabled (9.6.p1_1,1)
Message-ID:  <bug-276410-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276410

            Bug ID: 276410
           Summary: security/openssh-portable: SSHFP/known_hosts issues
                    when HPN is enabled (9.6.p1_1,1)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: bdrewery@FreeBSD.org
          Reporter: leres@freebsd.org
             Flags: maintainer-feedback?(bdrewery@FreeBSD.org)
          Assignee: bdrewery@FreeBSD.org

The HPN patchset for openssh-portable was updated with b3f86656fc67 however
when enabled it causes issues with ssh. When a user specifies a destination
host that is not a fully qualified domain name (relying on the resolver sea=
rch
path to complete the hostname) ssh is unable to find SSHFP records (even wh=
en
present) or known_host entries.

For example, given a resolv.conf with:

    search freebsd.org

Using the FQDN works as before:

    ice 146 % /usr/local/bin/ssh freefall.freebsd.org hostname
    freefall.freebsd.org

But using just the hostname does not:

    ice 147 % /usr/local/bin/ssh freefall hostname
    The authenticity of host 'freefall (2610:1c1:1:6074::16:84)' can't be
established.
ED25519 key fingerprint is SHA256:oJ7FKX5UTBWP4CncsrsaIb1JbfbtqzKOMYni3oVLA=
o0.
    No matching host key fingerprint found in DNS.
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])?

In this case tcpdump shows that "freefall.freebsd.org" is used for the A and
AAAA DNS lookups but "freefall." is queried when the SSHFP lookup happens.

Rebuilding with HPN disable solves this.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276410-7788>