Re: DNSSEC working but SSHFP reported as insecure

To: Debian Users ML <debian-user@lists.debian.org>
Subject: Re: DNSSEC working but SSHFP reported as insecure
From: Casey Deccio <casey@deccio.net>
Date: Sun, 4 Dec 2022 17:18:52 -0700
Message-id: <[🔎] CECA9E95-3F3F-4817-B4CC-7F1538943D64@deccio.net>
In-reply-to: <[🔎] 82026b84ffc6a412d1a405b8abf3d317bf2ff1e1.camel@rodier.me>
References: <[🔎] 4a18c984199951a663af7b061164a1d008cb8c13.camel@rodier.me> <[🔎] 7D588F23-6573-46D0-8038-797EF068BBFC@deccio.net> <[🔎] 6e498bbd4f4ac24ae6b97e3cd03f2fae3adcc43c.camel@rodier.me> <[🔎] A977A21E-1915-4C11-A035-C345E80C3E09@deccio.net> <[🔎] 82026b84ffc6a412d1a405b8abf3d317bf2ff1e1.camel@rodier.me>

> On Dec 3, 2022, at 12:37 PM, Andre Rodier <andre@rodier.me> wrote:
> 
> On Sat, 2022-12-03 at 12:09 -0700, Casey Deccio wrote:
>> 
>> It could be that your default DNS resolver is not validating.  ssh simply looks at the result of the DNSSEC validation
>> provided by your default resolver [1], so if it's not validating then you will never get "secure".  In the example in
>> your original post, you queried 1.1.1.1, which is a validating resolver.  But your default resolver might yield
>> different results.  To test, do the following:
>> 
>> $ dig +dnssec main.homebox.world sshfp
>> 
>> And look for the presence of the "ad" (authenticated data) flag in the response.
>> 
>> Casey
>> 
>> [1] https://github.com/openssh/openssh-portable/blob/master/dns.c#L230
> 
> Thanks for your suggestion.
> 
> I was already using 1.1.1.1 in /etc/resolv.conf, when I had the issue.
> 
> I am running Debian Bullseye.

Even so, please invoke the dig command above and check that the "ad" flag is present in the response.

If you see the "ad" flag there, then run your ssh command again, but before you do, start something like the following before you invoke your ssh command:

sudo tcpdump -n -w ssh-dns.pcap port 53

(Modify according to your setup...)

Then open ssh-dns.pcap in Wireshark and inspect the DNS response for the presence of the "ad" flag.

Here is my output from running ssh on my (nearly) stock debian bullseye system:

casey@rome:~$ ssh -o VerifyHostKeyDNS=ask -o UpdateHostKeys=no casey-test@main.homebox.world
The authenticity of host 'main.homebox.world (2001:19f0:7402:86e:5400:4ff:fe38:b9b4)' can't be established.
ECDSA key fingerprint is SHA256:AMS/SI0c2IA2hufsFiTcE61/q7JYA5TtNUT6FRz1dd4.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
casey@rome:~$ ssh -o VerifyHostKeyDNS=yes -o UpdateHostKeys=no casey-test@main.homebox.world
casey-test@main.homebox.world: Permission denied (publickey).

You can see that when I used VerifyHostKeyDNS=yes, it clearly trusted the host, based on the SSHFP record.

Casey

Reply to:

References:
- DNSSEC working but SSHFP reported as insecure
  - From: Andre Rodier <andre@rodier.me>
- Re: DNSSEC working but SSHFP reported as insecure
  - From: Casey Deccio <casey@deccio.net>
- Re: DNSSEC working but SSHFP reported as insecure
  - From: Andre Rodier <andre@rodier.me>
- Re: DNSSEC working but SSHFP reported as insecure
  - From: Casey Deccio <casey@deccio.net>
- Re: DNSSEC working but SSHFP reported as insecure
  - From: Andre Rodier <andre@rodier.me>

Prev by Date: Re: Debian failed
Next by Date: Re: loss of screen resolution
Previous by thread: Re: DNSSEC working but SSHFP reported as insecure
Next by thread: GPG problems
Index(es):
- Date
- Thread