1978 – ECDSA & SHA256 support in SSHFP DNS records

Bug 1978 - ECDSA & SHA256 support in SSHFP DNS records

Summary: ECDSA & SHA256 support in SSHFP DNS records

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	5.9p1
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:	https://tools.ietf.org/html/draft-os-...
Keywords:	low-hanging-fruit

Duplicates (1):	1972 (view as bug list)
Depends on:
Blocks:	V_6_1
	Show dependency tree / graph

Reported:	2012-02-07 19:25 AEDT by martian67
Modified:	2015-08-11 23:05 AEST (History)
CC List:	3 users (show)

See Also:

Attachments
Patch to add support to ssh-keygen -r and ssh for ECDSA/SHA-256 SSHPF records (5.32 KB, patch) 2012-04-11 12:37 AEST, martian67	no flags	Details \| Diff
patch to add ECDSA key records to host keys records printed by ssh-keygen -r <hostname> (395 bytes, patch) 2012-06-02 02:07 AEST, Julien DÉCHARNE	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description martian67 2012-02-07 19:25:29 AEDT

As per the RFC draft, support for ECDSA and SHA256 in sshfp records. This is pretty necessary, because ssh now defaults to ECDSA keys, and setting VerifyHostKeyDNS results in errors, as SSHFP only supports RSA keys.

Comment 1 martian67 2012-04-11 12:37:53 AEST

Created attachment 2144 [details]
Patch to add support to ssh-keygen -r and ssh for ECDSA/SHA-256 SSHPF records

Comment 2 martian67 2012-04-11 12:38:53 AEST

oops, meant to say patch applies cleanly to 5.8 and 5.9, patch obtained from https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/entry/ssh-sshfp-ecdsa.patch

Comment 3 Damien Miller 2012-05-23 13:29:03 AEST

patch applied - this will be in openssh-6.1. Thanks!

Comment 4 Julien DÉCHARNE 2012-06-02 02:07:25 AEST

Created attachment 2161 [details]
patch to add ECDSA key records to host keys records printed by ssh-keygen -r <hostname>

when called without filename (option -f), ssh-keygen -r <hostname> print SSHFP records for 'host' key files (e.g. in /etc/ssh/ on most system). This patch add ECDSA public key file to these host key files.

Comment 5 Julien DÉCHARNE 2012-06-02 02:13:58 AEST

just forget to say that previous patch in this bug report (attachment 2144 [details]) need obviously to be applied before ...

Comment 6 Damien Miller 2012-06-04 17:11:18 AEST

yes, the patch as committed included this fix

Comment 7 Damien Miller 2012-07-17 16:54:36 AEST

*** Bug 1972 has been marked as a duplicate of this bug. ***

Comment 8 Damien Miller 2015-08-11 23:05:25 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1