https://bugzilla.mindrot.org/show_bug.cgi?id=3698
Bug ID: 3698
Summary: SSHFP validation fails when multiple keys of the same
type are found in DNS
Product: Portable OpenSSH
Version: 8.7p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-b...@mindrot.org
Reporter: lukastesa...@gmail.com
This bug was already reported back in 2022 in the openssh-unix-dev
ML[1] with no response.
Basically the OpenSSH client is not compliant with RFC4255 in the way
it checks the SSHFP records.
> "If the algorithm and fingerprint of the key received from the SSH server
> match the algorithm and fingerprint of *one of* the SSHFP resource record(s)
> returned from DNS, the client MAY accept the identity of the server."
However, if OpenSSH client 8.7+ performs the host key DNS check (by
looking at the SSHFP records), it fails even if there are two records
with two different keys of the same algo for the same host.
I will use examples from the original report[1] as they are still
relevant
# example with OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021
ssh -v -o HostKeyAlgorithms=ssh-ed25519 -o VerifyHostKeyDNS=yes
ssh-service.einbeispiel.ch
[...]
debug1: verify_host_key_dns: failed SSHFP type 4 fptype 2
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: mismatching host key fingerprint found in DNS
[...]
No matching host key fingerprint found in DNS.
The bug report is filed for the first version this behavior appeared in
but targets also all future versions as this was not fixed yet.
[1] multiple SSHFP records for the same hostname and key type
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-March/040127.html
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
