Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking

Damien Miller djm at mindrot.org
Thu Nov 19 13:50:49 AEDT 2015


On Wed, 18 Nov 2015, Thordur I. Bjornsson wrote:

> Y'all,
> 
> Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP
> RR is missing
> from the result set (rather then being empty), which can lead to
> confusing error messages,
> (the "normal" warn_changed_key() blurb is emitted) e.g. when the
> presented host key and
> known hosts both match but there is no matching RR.
> 
> Further, if VerifyHostKeyDNS and StrictHostKeyChecking are set, there
> is no prompting for
> confirmation if the connection should be allowed to proceed; I'm
> unsure if this is by design
> or not (as presented host key and known host key match), but I'd argue
> this violates POLA.
> 
> Attached are two naïve patches to portable (cloned from
> anongit at mindrot.org) that attempt
> to tackle the above.

Looks like the list server ate the attachements - could you attach them
to a bug on https://bugzilla.mindrot.org/ ?


More information about the openssh-unix-dev mailing list