[Bug 3698] New: SSHFP validation fails when multiple keys of the same type are found in DNS

Wed Jun 5 20:59:36 AEST 2024

https://bugzilla.mindrot.org/show_bug.cgi?id=3698

            Bug ID: 3698
           Summary: SSHFP validation fails when multiple keys of the same
                    type are found in DNS
           Product: Portable OpenSSH
           Version: 8.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: lukastesar03 at gmail.com

This bug was already reported back in 2022 in the openssh-unix-dev
ML[1] with no response.

Basically the OpenSSH client is not compliant with RFC4255 in the way
it checks the SSHFP records. 

> "If the algorithm and fingerprint of the key received from the SSH server match the algorithm and fingerprint of *one of* the SSHFP  resource record(s) returned from DNS, the client MAY accept the identity of the server."

However, if OpenSSH client 8.7+ performs the host key DNS check (by
looking at the SSHFP records), it fails even if there are two records
with two different keys of the same algo for the same host.

I will use examples from the original report[1] as they are still
relevant

# example with OpenSSH_8.9p1, OpenSSL 1.1.1m  14 Dec 2021
ssh -v -o HostKeyAlgorithms=ssh-ed25519 -o VerifyHostKeyDNS=yes 
ssh-service.einbeispiel.ch
[...]
debug1: verify_host_key_dns: failed SSHFP type 4 fptype 2
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: mismatching host key fingerprint found in DNS
[...]
No matching host key fingerprint found in DNS.

The bug report is filed for the first version this behavior appeared in
but targets also all future versions as this was not fixed yet.

[1] multiple SSHFP records for the same hostname and key type
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-March/040127.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.