[saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)

Stephen Farrell stephen.farrell at cs.tcd.ie
Wed Dec 7 02:26:41 EST 2011


FYI - IETF last call for this has just gone out. [1]
Please comment on ietf at ietf.org if there are issues
that need to be raised.

Thanks,
Stephen.

[1] http://www.ietf.org/mail-archive/web/ietf-announce/current/msg09643.html

On 11/23/2011 08:25 AM, Stephen Farrell wrote:
>
> Thanks Mark,
>
> Yes, I'm happy to AD sponsor. No one objected when I asked
> before and it seems quite reasonable.
>
> Ondřej - I'll start an IETF LC since there only seem to be
> typos to be fixed.
>
> Cheers,
> S.
>
> On 11/23/2011 06:06 AM, Mark D. Baushke wrote:
>> Hi Daniel,
>>
>> Daniel Kahn Gillmor<dkg at fifthhorseman.net> writes:
>>
>>> hi folks:
>>>
>>> it looks like ssh-keygen -r can't export SSHFP records for ECDSA keys:
>>>
>>> 0 dkg at pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P ''
>>> 0 dkg at pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub
>>> export_dns_rr: unsupported algorithm
>>> 0 dkg at pip:/tmp/cdtemp.oiRYAS$
>>>
>>> the first number in my prompt is the return code of the last command;
>>> note that ssh-keygen -r fails to produce an SSHFP DNS RR, but it
>>> returns 0.
>>>
>>> at the least, it should return non-zero on failure.
>>>
>>>
>>> I note that the relevant RFC doesn't include an enumeration for ECDSA:
>>>
>>> https://tools.ietf.org/html/rfc4255#section-3.1.1
>>>
>>> Could anyone on this list kick off the IETF process for allocating a new
>>> ID in that registry for ECDSA? I'm not currently involved in the IETF's
>>> Network Working Group so i don't really know the political landscape
>>> there.
>>
>> I believe that the SSH development community will need to support this
>> effort:
>>
>> http://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2-00
>>
>> which specifies values for both the ECDSA algorithm and a SHA-256
>> fingerprint algorithm.
>>
>> RFC 4255 enumerates the RSA and DSS algorithms and the SHA-1 fingerprint
>> type.
>>
>> draft-os-ietf-sshfp-ecdsa-sha2-00 authored by O. Sury has a typo in the
>> draft suggesting that they update RFC 4225 which is wrong, but it seems
>> to be a simple typo as the body of the draft referecnes RFC 4255.
>>
>> However, it does add ECDSA to the SSHFP RR types and SHA-256 to the
>> fingerprint types.
>>
>> The draft expires on Dec 18, 2011.
>>
>> This draft was sent to saag at ietf.org and the author also wrote a patch
>> for OpenSSH (portable) in
>>
>> https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/entry/ssh-sshfp-ecdsa.patch
>>
>>
>> See the message thread here:
>>
>> http://www.ietf.org/mail-archive/web/saag/current/msg03326.html
>> http://www.ietf.org/mail-archive/web/saag/current/msg03327.html
>>
>> Stephen Farrell<stephen.farrell at cs.tcd.ie> says that the author is
>> asking the AD to sponsor the work. And Warren Kumari<warren at kumari.net>
>> has added his support.
>>
>> This seems like something that should be raised on the
>> ietf-ssh at NetBSD.org list with a CC to saag at ietf.org, so
>> I have added these to lists to my response to this message.
>>
>> For the record, my vote is +1 for this draft.
>>
>> -- Mark
>> _______________________________________________
>> saag mailing list
>> saag at ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>>
> _______________________________________________
> saag mailing list
> saag at ietf.org
> https://www.ietf.org/mailman/listinfo/saag


More information about the openssh-unix-dev mailing list