[PATCH] Use canonical hostname for DNS SSHFP lookup

Iain Morgan imorgan at nas.nasa.gov
Sat Apr 2 03:13:41 EST 2011 

On Thu, Mar 31, 2011 at 19:47:13 -0500, Damien Miller wrote:
> On Mon, 29 Nov 2010, Damien Miller wrote:
> 
> > 
> > On Sun, 28 Nov 2010, Jan Andres wrote:
> > 
> > > In the current implementation, ssh always uses the hostname supplied by
> > > the user directly for the SSHFP DNS record lookup. This causes problems
> > > when using the domain search path, e.g. I have "search example.com" in my 
> > > resolv.conf and then do a "ssh host", I will connect to host.example.com,
> > > but ssh will query the DNS for an SSHFP record of "host.", not
> > > "host.example.com.".
> > > 
> > > The patch below attempts to fix this issue by having getaddrinfo()
> > > return the canonical host name from the lookup, and passes this on so it
> > > can be used in the SSHFP record query.
> > > 
> > > As a side-effect, the patch will completely suppress the SSHFP lookup if
> > > establishing an SSH1 connection, as RSA1 keys cannot be stored in SSHFP
> > > records anyway.
> > > 
> > > The getaddrinfo() implementation in openbsd-compat/fake-rfc2553.c is
> > > also updated to support the AI_CANONNAME flag.
> > > 
> > > I don't use OpenBSD, so the patch was prepared against the latest
> > > snapshot of the portable OpenSSH version. Sorry if this causes any
> > > inconvenience.
> > 
> > I looked at this a while ago and rejected this approach as trusting the
> > DNS too much. See the thread "Re: Question about host certificates" on
> > this list from mid-June this year.
> > 
> > What we really (IMHO) need is better feedback from the local resolver as
> > to how it transformed the name before external resolution.
> > 
> > There is a hackish workaround for recent OpenSSH - in ~/.ssh/config you
> > can do:
> > 
> > Hostname *.* *:* :*
> > 	Hostname %h
> > Hostname *
> > 	Hostname %h.your.domain.com
> 
> I have just learned that Windows 7 has a flag that does exactly what we
> need here: AI_FQDN. This is its description:
> 
> > If the AI_FQDN is set and a flat name (single label) is specified,
> > GetAddrInfoW will return the fully qualified domain name that the name
> > eventually resolved to. The fully qualified domain name is returned in
> > the ai_canonname member in the associated addrinfoW structure. This
> > is different than AI_CANONNAME bit flag that returns the canonical
> > name registered in DNS which may be different than the fully qualified
> > domain name that the flat name resolved to. Only one of the AI_FQDN
> > and AI_CANONNAME bits can be set. The GetAddrInfoW function will fail
> > if both flags are present with EAI_BADFLAGS.
> 
> Now we just need the Unix variants to follow...
> 
> -d
> _______________________________________________

Perhaps OpenBSD 5.0 can start the trend? ;-)

-- 
Iain Morgan

More information about the openssh-unix-dev mailing list