[Bug 2501] New: VerifyHostKeyDNS & StrictHostKeyChecking

Thu Nov 19 19:11:31 AEDT 2015

https://bugzilla.mindrot.org/show_bug.cgi?id=2501

            Bug ID: 2501
           Summary: VerifyHostKeyDNS & StrictHostKeyChecking
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: thorduri at secnorth.net

Created attachment 2753
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2753&action=edit
Two patches for the above.

When SSHFP RR is missing (while there are records available) ssh does
not
distinguish between these two, leading to confusing error messages,
that
is the "normal" warn_changed_key() blurb is emitted.

Further, when VerifyHostDNS is set and StrictHostKeyChecking is set and
the host presented key matches the known host key but the RR is missing
the same warning is emitted however the user is not prompted for
confirmation
that the connection should continue (this might be by design) but I'd
argue
it violates POLA.

Attached are two naïve patches to portable (cloned from
anongit at mindrot.org) that attempt to tackle the above.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.