OpenSSH 3.7 testing (Re: 3.6p1 bug on SCO OpenServer)

Gary E. Miller gem at rellim.com
Wed Sep 10 15:19:37 EST 2003 

Yo Darren!

On Sun, 7 Sep 2003, Darren Tucker wrote:

> Thanks for that, both of those have been fixed.  You can try the attached
> patch, or wait for tomorrow's snapshot.

Thanks for the quick patch.  I grabbed the 10 Sep snapshot.  Works well
for me now. "make tests" runs fine.

Couple of issues with the key in DNS.  Not exactly sure what is going on
yet.  I have the key in my dnssec zone now.

I have my local domain, rellim.com, set up in my /etc/resolv.conf so I can
use short names.  Then if I do this it does not check the key in DNS:
	ssh hobbes

But this does:
	ssh hobbes.rellim.com

Seems this should be fixable?

When I put a BAD fingerprint in the DS, then try to connect, ssh will not
let me continue.  Here is the message I get:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
Please contact your system administrator.
Host key verification failed.

It would be nice if it mentioned that it is the DNSSEC key that failed,
what the bad fingerprint was, etc.  That would save a LOT of looking around...

At this point, some of my DNSSEC keys work and some do not.  Could be
operator error, maybe not.

So why is it that the fingerprint generated with "ssh-keygen -l" is not
the same as the fingerprint from "sshkeygen -r hostname -f keyfile" ?

This is on a heavily patched Slackware 8.0, running gcc 3.3, glibc 2.3.2 and
openssl 0.9.7b.  Here is the config output:

                    Manpage format: man
                       DNS support: yes
                       PAM support: no
                 KerberosV support: no
                 Smartcard support: no
                     S/KEY support: no
              TCP Wrappers support: yes
              MD5 password support: yes
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags: -I/usr/local/ssl/lib
      Linker flags: -L/usr/local/ssl/lib
         Libraries: -lwrap  -lresolv -lutil -lz -lnsl  -lcrypto -lcrypt



RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

More information about the openssh-unix-dev mailing list