[Bug 2040] Downgrade attack vulnerability when checking SSHFP records
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Sep 7 17:07:22 EST 2012
https://bugzilla.mindrot.org/show_bug.cgi?id=2040
--- Comment #5 from Ondřej Caletka <ondrej at caletka.cz> ---
(In reply to comment #3)
> Wouldn't it be simpler and safer to verify that all fingerprints
> match? I.e verify that both SHA1 and SHA256 SSHFP records verify
> correctly. Right now we need only one success and ignore all the
> hash mismatches...
This would actually prevent doing a smooth host key rollover, where you
pre-publish SSHFP records for the new Host key, then change the host
key and delete old SSHFP records after that. As DNS updates are never
synchronous, you cannot change SSHFP records at the same moment as host
key.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list