[Bug 2217] allow using _ssh._tcp SRV records

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Dec 29 01:02:12 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=2217

Jeremy Saklad <stadium-cyclops.0i at icloud.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |stadium-cyclops.0i at icloud.c
                   |                            |om

--- Comment #2 from Jeremy Saklad <stadium-cyclops.0i at icloud.com> ---
This would be invaluable, particularly for services like Git.

I try to maintain strict separation between machines and the services
they provide, such that I can move the service to a different machine
without disrupting access. I also want to provide multiple methods of
access, such as through an onion service. I currently use these records
to convey that:

```
_ssh._tcp.git.saklad5.com. 604800 IN    SRV     0 0 22
yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion.
_ssh._tcp.git.saklad5.com. 604800 IN    SRV     1 0 22
baza.saklad5.com.
```

The principles of RFC 7673 and similar specs apply here: when using
DANE, OpenSSH must validate the delegation with DNSSEC then query SSHFP
records for the ultimate target. If any link in the chain of resolution
isn't secured, validation fails.

Assuming DNSSEC is used correctly, the records above should mean that
`ssh git at git.saklad5.com` is equivalent to `ssh git@
yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion:22`,
falling back to `ssh git at baza.saklad5.com:22`. In keeping with RFC
7686, OpenSSH would immediately skip the onion address unless
configured with Tor support.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list