Created attachment 1722 [details] add local DNSSEC validation The attached patch adds local DNSSEC validation to ssh using the DNSSEC-Tool libraries.
Created attachment 1723 [details] README
I would like to see this baked into OpenSSH as well. As it stands, the DNSSEC support for SSHFP has two critical gaps as far as I can tell: -No protection for DNS hijacking between client and closest DNS server (e.g. most home users point at an ISP DNS server, so anyone with access to the ISP network can trick DNSSEC validated SSHFP records even without compromising the security of DNSSEC) -The inability to cleanly deal with the case where local nameserver is authoritative. The AD bit won't be set if AA is set. If I'm using a local DNS server as a repository for SSHFP records, I cannot use this infrastructure to help scripted execution of ssh as it stands since it will receive authoritative, but not validated data. Commonly, a resolver on localhost can close the gap for most cases, but the problem of executing ssh from the DNS server itself is problematic.
I've been trying to path OpenSSH 5.3p1 with the patch that can be found in dnssec-tools 1.8. During the final step, when I issue 'sudo make install' for OpenSSH, I always get the error that the shared library ' libsres.so.9' can't be found. I've run the configure script for OpenSSH with the following parameters: './configure --with-local-dnssec-validation --with-ldflags=-L/usr/local/lib/ --prefix=/usr/bin --sysconfdir=/etc/ssh' The library he tries to find can be found in '/usr/local/lib', so I don't know what I'm doing wrong here. Does anyone of you have a clue?
(In reply to comment #3) > I've been trying to path OpenSSH 5.3p1 with the patch that can be found > in dnssec-tools 1.8. During the final step, when I issue 'sudo make > install' for OpenSSH, I always get the error that the shared library ' > libsres.so.9' can't be found. > > I've run the configure script for OpenSSH with the following > parameters: > './configure --with-local-dnssec-validation > --with-ldflags=-L/usr/local/lib/ --prefix=/usr/bin > --sysconfdir=/etc/ssh' > > The library he tries to find can be found in '/usr/local/lib', so I > don't know what I'm doing wrong here. > > Does anyone of you have a clue? Maybe /usr/local/lib isn't in the search path for ld? Try adding it to /etc/ld.so.conf.
Created attachment 2060 [details] updated patch against 5.8p2
Created attachment 2150 [details] updated patch for 6.0p1 updated for 6.0p1
Created attachment 2152 [details] update for 6.0p1 forgot to run autoreconf for first pass at 6.0p1 update.. new patch updated after autoreconf and updating a few function calls that have changed since the 5.8p1 version of the patch