Bug#896145: Wrong DNS resolving for SSHFP lookup

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#896145: Wrong DNS resolving for SSHFP lookup
From: Uwe Kleine-König <ukleinek@debian.org>
Date: Fri, 20 Apr 2018 10:08:25 +0200
Message-id: <[🔎] 152421170570.21890.5210240182156341657.reportbug@taurus.defre.kleine-koenig.org>
Reply-to: Uwe Kleine-König <ukleinek@debian.org>, 896145@bugs.debian.org

Package: openssh-client
Version: 1:7.7p1-2
Severity: normal
File: /usr/bin/ssh

Hello,

I have on my work machine

	VerifyHostKeyDNS ask

in my ~/.ssh/config and

	search mydomain

in /etc/resolv.conf (anonimized though).

With

	tcpdump -i $landev udp port 53

running on my local DNS server, I see the following requests logged when I do 

	ssh anothermachine

from my work machine:

07:52:23.446609 IP work.mydomain.53992 > dnsserver.mydomain.53: 64011+ A? anothermachine.mydomain. (47)
07:52:23.446741 IP work.mydomain.53992 > dnsserver.mydomain.53: 59411+ AAAA? anothermachine.mydomain. (47)
07:52:23.447450 IP dnsserver.mydomain.53 > work.mydomain.53992: 64011* 1/0/0 A 192.168.0.12 (63)
07:52:23.447762 IP dnsserver.mydomain.53 > work.mydomain.53992: 59411 0/0/0 (47)
07:52:23.504582 IP work.mydomain.57475 > dnsserver.mydomain.53: 36966+ [1au] SSHFP? anothermachine. (34)
07:52:23.507386 IP dnsserver.mydomain.53 > work.mydomain.57475: 36966* 0/0/1 (34)

The request for "anothermachine.mydomain." can be replied by my local
DNS server directly, the request "anothermachine." however is forwarded
to the next upstream DNS server and so my intend to connect is leaked.

I would expect that ssh asked for "SSHFP? anothermachine.mydomain."
instead of "SSHFP? anothermachine." in this case.

I didn't check the code, but I think the fix includes to add
AI_CANONNAME to hints.ai_flags in the call to getaddrinfo(3) and use
the returned ai_canonname for looking up the SSHFP DNS RR.

Best regards
Uwe

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (500, 'unstable-debug'), (500, 'stable'), (499, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.117
ii  dpkg              1.19.0.5
ii  libbsd0           0.8.7-1
ii  libc6             2.27-3
ii  libedit2          3.1-20170329-1
ii  libgssapi-krb5-2  1.16-2
ii  libselinux1       2.7-2+b2
ii  libssl1.0.2       1.0.2o-1
ii  passwd            1:4.5-1
ii  zlib1g            1:1.2.8.dfsg-5

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.10-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

Reply to:

Prev by Date: Bug#352962: alerta de seguridad de correo electrónico
Next by Date: Bug#774711: openssh 7.6 changes
Previous by thread: Bug#352962: alerta de seguridad de correo electrónico
Next by thread: Bug#774711: openssh 7.6 changes
Index(es):
- Date
- Thread