Bug 2501

Summary: VerifyHostKeyDNS & StrictHostKeyChecking
Product: Portable OpenSSH Reporter: Thordur Bjornsson <thorduri>
Component: sshAssignee: Damien Miller <djm>
Status: REOPENED ---    
Severity: normal CC: djm, dtucker, thorduri
Priority: P5    
Version: 7.1p1   
Hardware: All   
OS: All   
Attachments:
Description Flags
Two patches for the above.
none
updated to current dtucker: ok+

Description Thordur Bjornsson 2015-11-19 19:11:31 AEDT 
Created attachment 2753 [details]
Two patches for the above.

When SSHFP RR is missing (while there are records available) ssh does not
distinguish between these two, leading to confusing error messages, that
is the "normal" warn_changed_key() blurb is emitted.

Further, when VerifyHostDNS is set and StrictHostKeyChecking is set and
the host presented key matches the known host key but the RR is missing
the same warning is emitted however the user is not prompted for confirmation
that the connection should continue (this might be by design) but I'd argue
it violates POLA.

Attached are two naïve patches to portable (cloned from
anongit@mindrot.org) that attempt to tackle the above.
Comment 1 Thordur Bjornsson 2016-01-29 03:17:15 AEDT 
Worth keeping this open ?
Comment 2 Damien Miller 2016-02-26 14:44:26 AEDT 
Retarget to openssh-7.3
Comment 3 Damien Miller 2016-02-26 14:47:29 AEDT 
Retarget to openssh-7.3
Comment 4 Damien Miller 2016-07-22 14:10:49 AEST 
retarget unfinished bugs to next release
Comment 5 Damien Miller 2016-07-22 14:14:37 AEST 
retarget unfinished bugs to next release
Comment 6 Damien Miller 2016-07-22 14:15:49 AEST 
retarget unfinished bugs to next release
Comment 7 Damien Miller 2016-07-22 14:17:20 AEST 
retarget unfinished bugs to next release
Comment 8 Damien Miller 2016-12-16 14:31:26 AEDT 
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Comment 9 Damien Miller 2017-06-30 13:43:05 AEST 
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back.

To calibrate expectations, there's little chance all of these are going to make 7.6.
Comment 10 Damien Miller 2017-06-30 13:44:23 AEST 
remove 7.5 target
Comment 11 Damien Miller 2017-09-01 13:52:47 AEST 
Created attachment 3046 [details]
updated to current

This looks reasonable to me. Darren?
Comment 12 Damien Miller 2017-09-01 15:53:17 AEST 
Patch applied. This will be in OpenSSH 7.6
Comment 13 Darren Tucker 2017-09-14 15:29:55 AEST 
commit aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu Sep 14 04:32:21 2017 +0000

    upstream commit
    
    Revert commitid: gJtIN6rRTS3CHy9b.
    
    -------------
    identify the case where SSHFP records are missing but other DNS RR
    types are present and display a more useful error message for this
    case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
    -------------
    
    This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
    are missing but the user already has the key in known_hosts
    
    Spotted by dtucker@
    
    Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
Comment 14 Damien Miller 2018-04-06 13:12:17 AEST 
Move to OpenSSH 7.8 tracking bug
Comment 15 Damien Miller 2018-04-13 13:56:46 AEST 
So basically this needs to be rewritten to make the behaviour changes / warnings happen only after the key has been checked for in known_hosts.