OpenSSH 3.7 testing (Re: 3.6p1 bug on SCO OpenServer)

Darren Tucker dtucker at
Wed Sep 10 17:08:31 EST 2003

"Gary E. Miller" wrote:
> Thanks for the quick patch.  I grabbed the 10 Sep snapshot.  Works well
> for me now. "make tests" runs fine.

Excellent, thank you.

The rest is about DNS host key support (which I've never used) which is
experimental.  It comes directly from OpenBSD's OpenSSH, so any changes
would have to be done there first.  They're currently in a freeze for
release and I don't know if they'd make changes to it right now.  Anyone?

> I have my local domain,, set up in my /etc/resolv.conf so I can
> use short names.  Then if I do this it does not check the key in DNS:
>         ssh hobbes
> But this does:
>         ssh
> Seems this should be fixable?

Possibly.  I looked quickly at it but I couldn't see a simple way of doing
it.  You probably want the ai->ai_canonname from whichever 
address you ended up connecting to.

> When I put a BAD fingerprint in the DS, then try to connect, ssh will not
> let me continue.  Here is the message I get:
[snip message]
> It would be nice if it mentioned that it is the DNSSEC key that failed,
> what the bad fingerprint was, etc.  That would save a LOT of looking around...

That looks like it could be trivially added to dns.c.

> So why is it that the fingerprint generated with "ssh-keygen -l" is not
> the same as the fingerprint from "sshkeygen -r hostname -f keyfile" ?

Sorry, no idea.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list