Bug#698794: openssh-client: Uses ECDSA but does not understand SSHFP records
Package: openssh-client
Version: 1:6.0p1-3
Severity: normal
Tags: upstream
This is more or less a known issue some people in my environment have
already been hit by. I'm filing this bug for reference and will mark
the versions accordingly ASAP. I think this will affect more people
when Wheezy is out.
SSHFP DNS records provide a (optionally DNSSEC secured) way to put SSH
host keys into DNS and have them verified by the client.
Since OpenSSH 5.7p1 (post-squeeze) upstream release openssh uses ECDSA
for the keys by default
Features:
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
offer better performance than plain DH and DSA at the same equivalent
symmetric key length, as well as much shorter keys.
[...]
ECDH in a 256 bit curve field is the preferred key agreement
algorithm when both the client and server support it. ECDSA host
keys are preferred when learning a host's keys for the first time,
or can be learned using ssh-keyscan(1).
However, support for SSHFP records for ECDSA host keys has only been
added in 6.1p1, which will NOT be a part of wheezy
Features:
[...]
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
This means that everything between 5.7 and 6.1 will use an algorithm it does
not support SSHFP records for.
The only workaround is to force ssh(1) to use only the old RSA/DSA algos
Host *
VerifyHostKeyDNS yes
HostKeyAlgorithms ssh-rsa,ssh-dss
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-client depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii dpkg 1.16.9
ii libc6 2.13-37
ii libedit2 2.11-20080614-5
ii libgssapi-krb5-2 1.10.1+dfsg-3
ii libselinux1 2.1.9-5
ii libssl1.0.0 1.0.1c-4
ii passwd 1:4.1.5.1-1
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1+nmu1
ii openssh-blacklist-extra 0.4.1+nmu1
ii xauth 1:1.0.7-1
Versions of packages openssh-client suggests:
ii keychain 2.7.1-1
pn libpam-ssh <none>
pn monkeysphere <none>
pn ssh-askpass <none>
-- no debconf information
Reply to: