Bug#896145: Wrong DNS resolving for SSHFP lookup
Package: openssh-client
Version: 1:7.7p1-2
Severity: normal
File: /usr/bin/ssh
Hello,
I have on my work machine
VerifyHostKeyDNS ask
in my ~/.ssh/config and
search mydomain
in /etc/resolv.conf (anonimized though).
With
tcpdump -i $landev udp port 53
running on my local DNS server, I see the following requests logged when I do
ssh anothermachine
from my work machine:
07:52:23.446609 IP work.mydomain.53992 > dnsserver.mydomain.53: 64011+ A? anothermachine.mydomain. (47)
07:52:23.446741 IP work.mydomain.53992 > dnsserver.mydomain.53: 59411+ AAAA? anothermachine.mydomain. (47)
07:52:23.447450 IP dnsserver.mydomain.53 > work.mydomain.53992: 64011* 1/0/0 A 192.168.0.12 (63)
07:52:23.447762 IP dnsserver.mydomain.53 > work.mydomain.53992: 59411 0/0/0 (47)
07:52:23.504582 IP work.mydomain.57475 > dnsserver.mydomain.53: 36966+ [1au] SSHFP? anothermachine. (34)
07:52:23.507386 IP dnsserver.mydomain.53 > work.mydomain.57475: 36966* 0/0/1 (34)
The request for "anothermachine.mydomain." can be replied by my local
DNS server directly, the request "anothermachine." however is forwarded
to the next upstream DNS server and so my intend to connect is leaked.
I would expect that ssh asked for "SSHFP? anothermachine.mydomain."
instead of "SSHFP? anothermachine." in this case.
I didn't check the code, but I think the fix includes to add
AI_CANONNAME to hints.ai_flags in the call to getaddrinfo(3) and use
the returned ai_canonname for looking up the SSHFP DNS RR.
Best regards
Uwe
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (500, 'unstable-debug'), (500, 'stable'), (499, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii adduser 3.117
ii dpkg 1.19.0.5
ii libbsd0 0.8.7-1
ii libc6 2.27-3
ii libedit2 3.1-20170329-1
ii libgssapi-krb5-2 1.16-2
ii libselinux1 2.7-2+b2
ii libssl1.0.2 1.0.2o-1
ii passwd 1:4.5-1
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages openssh-client recommends:
ii xauth 1:1.0.10-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
pn ssh-askpass <none>
-- no debconf information
Reply to: