[Bug 3322] Switch SSHFP default digest to SHA256
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jul 16 22:16:50 AEST 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3322
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
Blocks| |3302
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I commented on the pull request too, but I don't think your change
actually does anything. While iterating the rrset, the existing code
uses the digest type from the DNS record:
if (hostkey_digest_type != dnskey_digest_type) {
hostkey_digest_type = dnskey_digest_type;
free(hostkey_digest);
/* Initialize host key parameters */
if (!dns_read_key(&hostkey_algorithm,
&hostkey_digest_type, &hostkey_digest,
&hostkey_digest_len, hostkey)) {
If we add a couple of debug calls to the current code you can see it
verifies both fingerprint types (this machine has SHA1 and SHA256 RSA
fingerprints):
$ ./ssh -vvv -o verifyhostkeydns=ask -o hostkeyalgorithms=rsa-sha2-256
fw 2>&1 | grep -i dns
debug3: verify_host_key_dns
debug1: found 4 insecure fingerprints in DNS
debug3: verify_host_key_dns: checking SSHFP type 4 fptype 1
debug3: verify_host_key_dns: checking SSHFP type 1 fptype 1
debug1: verify_host_key_dns: matched SSHFP type 1 fptype 1
debug3: verify_host_key_dns: checking SSHFP type 3 fptype 2
debug3: verify_host_key_dns: checking SSHFP type 1 fptype 2
debug1: verify_host_key_dns: matched SSHFP type 1 fptype 2
It'll return success if either validate, though, which is probably not
ideal. It should probably ensure that all fingerprints match.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3302
[Bug 3302] Tracking bug for openssh-8.7
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list