Bug#804817: Manpage gives misleading information about "secure fingerprints" from DNS (SSHFP records)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#804817: Manpage gives misleading information about "secure fingerprints" from DNS (SSHFP records)
From: martin f krafft <madduck@debian.org>
Date: Thu, 12 Nov 2015 16:33:12 +1300
Message-id: <[🔎] 20151112033312.GA7494@fishbowl.rw.madduck.net>
Reply-to: martin f krafft <madduck@debian.org>, 804817@bugs.debian.org

Package: openssh-client
Version: 1:6.9p1-2+b1
Severity: normal
File: /usr/share/man/man5/ssh_config.5.gz
Tags: upstream patch

The ssh_config(5) manpage states:

   VerifyHostKeyDNS
         Specifies whether to verify the remote key using
         DNS and SSHFP resource records. If this option is
         set to “yes”, the client will implicitly trust
         keys that match a secure fingerprint from DNS.
         Insecure fingerprints will be handled as if this
         option was set to “ask”.

It's quite misleading to speak of "secure fingerprint from DNS",
which could only be considered secure with proper DNSSEC
verification in place, but that doesn't happen yet (#618863).

The distinction apparently being made here is between fingerprints
from DNS (which are considered "secure", oh my…), and fingerprints
not from DNS.

I suggest the following rewording:

  Specifies whether to verify the remote key using DNS and SSHFP
  resource records. If this option is set to "yes", the client will
  implicitly trust keys for which a matching fingerprint can be
  obtained from DNS. When this is not the case, the connection
  attempt is handled as if this option was set to "ask".

Long term and with reference to #618863 it would make sense to
introduce a new option "insecure" to replace the current "yes", and
have a new "yes" only apply implicit trust if the fingerprint
matches and the DNS information could be verified.

Thanks for your consideration.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.18.3
ii  libc6             2.19-22
ii  libedit2          3.1-20150325-1
ii  libgssapi-krb5-2  1.13.2+dfsg-4
ii  libselinux1       2.3-2+b1
ii  libssl1.0.2       1.0.2d-3
ii  passwd            1:4.2-3
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
ii  monkeysphere                     0.37-3
ii  ssh-askpass-gnome [ssh-askpass]  1:6.9p1-2+b1

-- debconf-show failed


-- 
 .''`.   martin f. krafft <madduck@d.o> @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems

Attachment: digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Reply to:

Prev by Date: Bug#803622: openssh: drop mention-ssh-keygen-on-keychange.patch
Next by Date: Bug#618863: /usr/bin/ssh: insecurely verifies host key with VerifyHostKeyDNS option
Previous by thread: Bug#803622: openssh: drop mention-ssh-keygen-on-keychange.patch
Next by thread: Bug#618863: /usr/bin/ssh: insecurely verifies host key with VerifyHostKeyDNS option
Index(es):
- Date
- Thread