Re: HEADS UP: OpenSSH with DNSSEC support in 10
On Sat, 2013-09-14 at 16:03 +0200, Dag-Erling Smørgrav wrote: Ian Lepore i...@freebsd.org writes: I just ran into a build error related to this: [...] I find that the attached patch fixes it for me. [...] @@ -1468,7 +1468,7 @@ lib/libcxxrt__L: gnu/lib/libgcc__L lib/libradius lib/libsbuf lib/libtacplus \ ${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \ ${_cddl_lib_libzfs_core} \ - lib/libutil ${_lib_libypclnt} lib/libz lib/msun \ + lib/libutil ${_lib_libypclnt} lib/libldns lib/libz lib/msun \ ${_secure_lib_libcrypto} ${_secure_lib_libssh} \ ${_secure_lib_libssl} That's not going to work, because libldns requires libcrypto. You should try the following: @@ -1470,8 +1470,8 @@ ${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \ ${_cddl_lib_libzfs_core} \ lib/libutil ${_lib_libypclnt} lib/libz lib/msun \ - ${_secure_lib_libcrypto} ${_secure_lib_libssh} \ - ${_secure_lib_libssl} + ${_secure_lib_libcrypto} ${_lib_libldns} \ + ${_secure_lib_libssh} ${_secure_lib_libssl} .if ${MK_ATF} != no _lib_atf_libatf_c= lib/atf/libatf-c Oh, wait, that's actually an excerpt from the commit that enabled LDNS in OpenSSH. What a coincidence! DES Hrm, sure enough, even though that sandbox claims to be at r255532, your changes from r255460 are not in Makefile.inc1. So I've got some sort of brokeness/pollution in my sandbox I'll look into, sorry for the noise. -- Ian ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
HEADS UP: OpenSSH with DNSSEC support in 10
OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is yes. This means that OpenSSH will silently trust DNSSEC-signed SSHFP records. I consider this a lesser evil than ask (aka train the user to type 'yes' and hit enter) and no (aka train the user to type 'yes' and hit enter without even the benefit of a second opinion). DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: HEADS UP: OpenSSH with DNSSEC support in 10
Ian Lepore i...@freebsd.org writes: So what happens when there is no dns server to consult? Will every ssh connection have to wait for a long dns query timeout? What if the machine is configured to use only /etc/hosts? If there is no DNS server, no query will be sent. What if a DNS server is configured but doesn't respond? The DNS request will time out. In the vast majority of cases, you will either have no DNS at all (so no query will be sent), or you will have a functioning DNS server. In a slightly less vast majority of cases, you will not be able to resolve the server's IP address without DNS anyway. For that matter, I just realized I'm a bit unclear on who is querying DNS for this info, the ssh client or the sshd? The client - and you can override this in your ~/.ssh/config or on the command line (-oVerifyHostKeyDNS=no). DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: HEADS UP: OpenSSH with DNSSEC support in 10
On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote: OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is yes. This means that OpenSSH will silently trust DNSSEC-signed SSHFP records. I consider this a lesser evil than ask (aka train the user to type 'yes' and hit enter) and no (aka train the user to type 'yes' and hit enter without even the benefit of a second opinion). DES So what happens when there is no dns server to consult? Will every ssh connection have to wait for a long dns query timeout? What if the machine is configured to use only /etc/hosts? What if a DNS server is configured but doesn't respond? For that matter, I just realized I'm a bit unclear on who is querying DNS for this info, the ssh client or the sshd? -- Ian ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: HEADS UP: OpenSSH with DNSSEC support in 10
On Wed, 11 Sep 2013, Ian Lepore wrote: On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote: OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you disable LDNS in src.conf. If DNSSEC is enabled, the default setting for VerifyHostKeyDNS is yes. This means that OpenSSH will silently trust DNSSEC-signed SSHFP records. I consider this a lesser evil than ask (aka train the user to type 'yes' and hit enter) and no (aka train the user to type 'yes' and hit enter without even the benefit of a second opinion). DES So what happens when there is no dns server to consult? Will every ssh connection have to wait for a long dns query timeout? There is a long precent for ssh waiting on DNS timeouts, with the GSSAPI* options. At least in some cases, ssh could end up waiting for 3 retries against each KDC for each of some six GSSAPI mechanisms, at (IIRC) a 3-second timeout each. This was so bad that corrective action was taken, but there are still some delays if DNS is not functioning properly. -Ben Kaduk___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org