multiple SSHFP records for the same hostname and key type
Oli Schacher
oli.schacher at switch.ch
Fri Mar 11 23:55:54 AEDT 2022
Dear list
I have two servers with different host keys which provide a ssh service
under a shared host name, in an active-passive setup. When connecting to
ssh-service.einbeispiel.ch you reach either server A or B. This service
name has two SSHFP records:
ssh-service.einbeispiel.ch SSHFP 4 2 <ED25519 hostkey from server A>
ssh-service.einbeispiel.ch SSHFP 4 2 <ED25518 hostkey from server B>
This has worked previously, but openssh has changed its implementation
in 8.7., so that apparently *ALL* SSHFP records must match or the Host
key will not be accepted. [1]
# example with OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
ssh -v -o HostKeyAlgorithms=ssh-ed25519 -o VerifyHostKeyDNS=yes
ssh-service.einbeispiel.ch
[...]
debug1: found 2 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
# example with OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021
ssh -v -o HostKeyAlgorithms=ssh-ed25519 -o VerifyHostKeyDNS=yes
ssh-service.einbeispiel.ch
[...]
debug1: verify_host_key_dns: failed SSHFP type 4 fptype 2
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: mismatching host key fingerprint found in DNS
[...]
No matching host key fingerprint found in DNS.
It seems to me that this change breaks two use cases:
a) the one described above , i.e. using SSHFP records for a common
service name provided by multiple backends with different host keys
b) the possibility to seamlessly replace a host key without breaking
SSHFP validation, as this would require the SSHFP record to be changed
*exactly* at the same time as the host keys. But due to DNS TTLs /
replication delay this is not possible and there will always be a time
frame where these records are out of sync. With the earlier behavior I
could just add the new SSHFP record in the DNS and have both old and new
keys active, then replace the host key on the server, then remove the
old key from DNS SSHFP.
rfc4255[2] says
"If the algorithm and fingerprint of the key received from the SSH
server match the algorithm and fingerprint of *one of* the SSHFP
resource record(s) returned from DNS, the client MAY accept the identity
of the server."
note the "one of"
So I'm wondering if the change in 8.7 from "one of" to "all" did
consider these two cases at all. Should I change my use cases or is this
a breakage in openssh that could be considered to be reverted?
Thanks for your help and best regards
Oli
[1] https://www.openssh.com/txt/release-8.7
[2] https://datatracker.ietf.org/doc/html/rfc4255#section-2.1
More information about the openssh-unix-dev
mailing list