ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)

Ondřej Caletka ondrej.caletka at gmail.com
Tue Nov 29 19:53:32 EST 2011


FYI, there is a patch for linux port of OpenSSH to support
draft-os-ietf-sshfp-ecdsa-sha2-02

https://github.com/oskar456/ietf/raw/master/ssh-sshfp-ecdsa.patch

This patch is created against OpenSSH 5.8p1, but can be applied, after
minor adjustments, even to latest snapshot openssh-SNAP-2011112, or
non-portable version of OpenSSH.

There is only one potential problem - if server offers a certificate and
key embedded in certificate match a SSHFP record, host is considered
authenticated without considering certificate. Maybe better would be to
do all checks with certificate first and then continue on all checks
with embedded key alone. But this would requre a major redesign of
sshconnect.c.

Also I think it would be nice to change default for option
VerifyHostKeyDNS to ask. This setting should be always safe, regardless
of local DNS resolver trustworthy.

Regards,
Ondrej Caletka


Dne 21.11.2011 16:29, Daniel Kahn Gillmor napsal(a):
> hi folks:
> 
> it looks like ssh-keygen -r can't export SSHFP records for ECDSA keys:
> 
> 0 dkg at pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P ''
> 0 dkg at pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub
> export_dns_rr: unsupported algorithm
> 0 dkg at pip:/tmp/cdtemp.oiRYAS$
> 
> the first number in my prompt is the return code of the last command;
> note that ssh-keygen -r fails to produce an SSHFP DNS RR, but it returns 0.
> 
> at the least, it should return non-zero on failure.
> 
> 
> I note that the relevant RFC doesn't include an enumeration for ECDSA:
> 
>  https://tools.ietf.org/html/rfc4255#section-3.1.1
> 
> Could anyone on this list kick off the IETF process for allocating a new
> ID in that registry for ECDSA?  I'm not currently involved in the IETF's
> Network Working Group so i don't really know the political landscape there.
> 
> Regards,
> 
> 	--dkg
> 
> 
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4471 bytes
Desc: Elektronick�� podpis S/MIME
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20111129/6af854ee/attachment.bin>


More information about the openssh-unix-dev mailing list