[Bug 2217] allow using _ssh._tcp SRV records
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Dec 29 01:02:12 AEDT 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=2217
Jeremy Saklad <stadium-cyclops.0i at icloud.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stadium-cyclops.0i at icloud.c
| |om
--- Comment #2 from Jeremy Saklad <stadium-cyclops.0i at icloud.com> ---
This would be invaluable, particularly for services like Git.
I try to maintain strict separation between machines and the services
they provide, such that I can move the service to a different machine
without disrupting access. I also want to provide multiple methods of
access, such as through an onion service. I currently use these records
to convey that:
```
_ssh._tcp.git.saklad5.com. 604800 IN SRV 0 0 22
yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion.
_ssh._tcp.git.saklad5.com. 604800 IN SRV 1 0 22
baza.saklad5.com.
```
The principles of RFC 7673 and similar specs apply here: when using
DANE, OpenSSH must validate the delegation with DNSSEC then query SSHFP
records for the ultimate target. If any link in the chain of resolution
isn't secured, validation fails.
Assuming DNSSEC is used correctly, the records above should mean that
`ssh git at git.saklad5.com` is equivalent to `ssh git@
yqxxaadd7hhmjzyier2jftbnzxw3ddvbm4ggz5y7yuxzmcxlpcmwdcyd.onion:22`,
falling back to `ssh git at baza.saklad5.com:22`. In keeping with RFC
7686, OpenSSH would immediately skip the onion address unless
configured with Tor support.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list