Small issue with DNSSEC / SSHFP

Malcolm opensshdev at r.paypc.com
Tue Jun 23 10:24:01 AEST 2015


Quoting Philip Homburg <pch-openssh at u-1.phicoh.com>:

> Hi,
> 
> I found a small issue with DNSSEC validation of SSHFP lookups. (For
> reference
> I used OpenSSH 6.8p1 on FreeBSD 10.1).
> 
> The issues is that when DNSSEC valiation fails, ssh displays a confusing
> message to the user. When DNSSEC validation of a SSHFP record fails, ssh
> presents the user with
> "Matching host key fingerprint found in DNS.
> "Are you sure you want to continue connecting (yes/no)?

That's not the only confusing one.  I ran into another confusing error message
on some of my 6.6 clients when connecting to hosts which had published a full
set of SSHFPs (types 1 and 4 anyway, with both hash records for each of
those).  It was something vague like "Error calculating host key fingerprint"
with no mention of an unsupported SSHFP record.

Even though Curve25519 support was in those older versions, I guess the
support for the Ed25519 algorithm in SSHFPs lagged them by quite a while.  I
don't use algorithms 2 or 3 since none of my SSHDs are configured to support them.

It's probably of minor importance, since DNS fingerprinting is not the best
primary mechanism to verify a server's host key fingerprint.

=R=


More information about the openssh-unix-dev mailing list