Bug#698794: openssh-client: Uses ECDSA but does not understand SSHFP records

To: submit@bugs.debian.org
Subject: Bug#698794: openssh-client: Uses ECDSA but does not understand SSHFP records
From: Bernhard Schmidt <berni@birkenwald.de>
Date: Wed, 23 Jan 2013 19:15:42 +0100
Message-id: <[🔎] 20130123181542.GA6876@lxbsc02.ws.lrz.de>
Reply-to: Bernhard Schmidt <berni@birkenwald.de>, 698794@bugs.debian.org

Package: openssh-client
Version: 1:6.0p1-3
Severity: normal
Tags: upstream

This is more or less a known issue some people in my environment have 
already been hit by. I'm filing this bug for reference and will mark
the versions accordingly ASAP. I think this will affect more people
when Wheezy is out.

SSHFP DNS records provide a (optionally DNSSEC secured) way to put SSH 
host keys into DNS and have them verified by the client.

Since OpenSSH 5.7p1 (post-squeeze) upstream release openssh uses ECDSA 
for the keys by default

Features:

 * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
   and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
   offer better performance than plain DH and DSA at the same equivalent
   symmetric key length, as well as much shorter keys.
[...]
   ECDH in a 256 bit curve field is the preferred key agreement
   algorithm when both the client and server support it. ECDSA host
   keys are preferred when learning a host's keys for the first time,
   or can be learned using ssh-keyscan(1).
     

However, support for SSHFP records for ECDSA host keys has only been
added in 6.1p1, which will NOT be a part of wheezy

Features:
[...]
 * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978

This means that everything between 5.7 and 6.1 will use an algorithm it does
not support SSHFP records for.

The only workaround is to force ssh(1) to use only the old RSA/DSA algos

Host *
 VerifyHostKeyDNS 	yes
 HostKeyAlgorithms	ssh-rsa,ssh-dss


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.9
ii  libc6                  2.13-37
ii  libedit2               2.11-20080614-5
ii  libgssapi-krb5-2       1.10.1+dfsg-3
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1c-4
ii  passwd                 1:4.1.5.1-1
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth                    1:1.0.7-1

Versions of packages openssh-client suggests:
ii  keychain      2.7.1-1
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

Reply to:

Prev by Date: Bug#698756: openssh-client: please support --help
Next by Date: Processed: tag
Previous by thread: Bug#698756: openssh-client: please support --help
Next by thread: Processed: tag
Index(es):
- Date
- Thread