auto-accept keys matching DNSSEC-validated SSHFP records

Robert Story rstory at sparta.com
Thu Jul 21 02:47:03 EST 2011 

Hi,

I submitted a patch back in November of 2009 to add local validation of
DNSSEC record to openssh. I recent updated the patch for 5.8, and
figured I do a little marketing while I'm at it. :-)

Someone had previously submitted a patch which simply trusted the AD
bit in the response, which is susceptible to spoofing by anyone who can
inject packets between the resolver and the client. Our patch always
fetches the signatures and verifies them locally. A new option,
oStrictDnssecChecking, determines whether or not an untrusted response
is treated as a failure, or if the result is returned with a warning.

In addition to adding local validation, a new setting,
oAutoAnswerValidatedKeys, allows the user to automatically accept new
keys which match DNSSEC-validated SSHFP records. The default for this
new option is off, so even if the record matches, the user will still
be asked to confirm before connecting.

The patch is here:

	https://bugzilla.mindrot.org/show_bug.cgi?id=1672


I dug up some test cases and output from my archives. These show the
results seen when oAutoAnswerValidatedKeys is enabled.

1) ssh to a new host, DNSSEC-validated sshfp key:

$ ./ssh bishop
The authenticity of host 'bishop.vb (192.168.1.10)' was  validated via DNSSEC.
Warning: Permanently added 'bishop.vb,192.168.1.10' (RSA) to the list of known hosts.

2) subsequent ssh to existing host with key changes, but no DNS update

$ ./ssh bishop
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d.
Please contact your system administrator.
Update the SSHFP RR in DNS with the new host key to get rid of this message.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d.
Please contact your system administrator.
Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this message.
Offending key in /home/rstory/.ssh/known_hosts:69
RSA host key for bishop.vb has changed and you have requested strict checking.
Host key verification failed.

3) ssh to same host after SSHFP record updated and re-signed

$ ./ssh bishop
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Howerver, a matching host key, validated by DNSSEC, was found.
The fingerprint for the RSA key sent by the remote host is
1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d.
Please contact your system administrator.
Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this message.
Offending key in /home/rstory/.ssh/known_hosts:69
The authenticity of host 'bishop.vb (192.168.1.10)' was  validated via DNSSEC.
Warning: Permanently added 'bishop.vb' (RSA) to the list of known hosts.


4) subsequent logins (no remote changes)

$ ./ssh bishop
Warning: the RSA host key for 'bishop.vb' differs from the key for the IP address '192.168.1.10'
Offending key for IP in /home/rstory/.ssh/known_hosts:69
Matching host key in /home/rstory/.ssh/known_hosts:70

5) IP addr change

$ ./ssh bishop
Warning: Permanently added the RSA host key for IP address '192.168.1.9' to the list of known hosts.

6) IP addr change and key change, with DNSSEC signed SSHFP record

$ ./ssh bishop
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: HOST IP ADDRESS HAS CHANGED!             @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for bishop.vb has changed,
and the key for the according IP address 192.168.1.10
is unknown. The IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Howerver, a matching host key, validated by DNSSEC, was found.
The fingerprint for the RSA key sent by the remote host is
c3:2d:e8:9e:65:b2:17:22:36:aa:73:47:d7:cd:5e:ae.
Please contact your system administrator.
Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this message.
Offending key in /home/rstory/.ssh/known_hosts:69
The authenticity of host 'bishop.vb (192.168.1.10)' was  validated via DNSSEC.
Warning: Permanently added 'bishop.vb,192.168.1.10' (RSA) to the list of known hosts.


Robert

--
Senior Software Engineer
SPARTA (dba Cobham Analytic Soloutions)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110720/ee4a6046/attachment.bin>

More information about the openssh-unix-dev mailing list