Bug#748255: openssh-client: If VerifyHostKeyDNS is set, HostKeyAlgorithms should prefer algorithms with (comprehensible) SSHFP records

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#748255: openssh-client: If VerifyHostKeyDNS is set, HostKeyAlgorithms should prefer algorithms with (comprehensible) SSHFP records
From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 15 May 2014 15:42:21 +0100
Message-id: <[🔎] 20140515144221.13859.85861.reportbug@stratocaster.distorted.org.uk>
Reply-to: Mark Wooding <mdw@distorted.org.uk>, 748255@bugs.debian.org

Package: openssh-client
Version: 1:6.0p1-4+deb7u1
Severity: normal

The version of ssh in wheezy has incomplete support for ECDSA keys.  In
particular, it doesn't know how to construct or verify SSHFP records for them
(dns.c, dns_read_key).  If we're going with the default HostKeyAlgorithm
selection, though, and the server indeed has an ECDSA host key, it'll offer
it to the client, which will then report an (unhelpful) error

	Error calculating host key fingerprint.

(dns.c, verify_host_key_dns).

Now, later OpenSSH versions have fixed this, by supporting SSHFP records for
ECDSA, but the problem still remains: if I've configured my client to verify
host keys against DNS, I'd hope that it would prioritize those key types for
which SSHFP records (a) exist, and (b) can be understood.

The latter property is obviously static, and I'd argue that the ordering of
wheezy's default HostKeyAlgorithms is just wrong.  But the former is dynamic,
and unfortunately the current code does things in the wrong order: it gets
the host key first, and only then looks to see which SSHFP records (if any)
are available.  This is likely to be quite a difficult change, so (a) I'm not
providing a patch, and (b) I'm not holding my breath.


-- System Information:
Debian Release: 7.5
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.14
ii  libc6                  2.13-38+deb7u1
ii  libedit2               2.11-20080614-5
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1e-2+deb7u7
ii  passwd                 1:4.1.5.1-1
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
pn  xauth                    <none>

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]
/etc/ssh/ssh_config changed [not included]

-- no debconf information

Reply to:

Prev by Date: Bug#747743: systemd: After switching from sysvinit to systemd former disabled services are started
Next by Date: Bug#335531: Stellenbeschreibungen für Sie vom 23.05.2014
Previous by thread: Bug#747743: systemd: After switching from sysvinit to systemd former disabled services are started
Next by thread: Bug#335531: Stellenbeschreibungen für Sie vom 23.05.2014
Index(es):
- Date
- Thread