Created attachment 2753 [details] Two patches for the above. When SSHFP RR is missing (while there are records available) ssh does not distinguish between these two, leading to confusing error messages, that is the "normal" warn_changed_key() blurb is emitted. Further, when VerifyHostDNS is set and StrictHostKeyChecking is set and the host presented key matches the known host key but the RR is missing the same warning is emitted however the user is not prompted for confirmation that the connection should continue (this might be by design) but I'd argue it violates POLA. Attached are two naïve patches to portable (cloned from anongit@mindrot.org) that attempt to tackle the above.
Worth keeping this open ?
Retarget to openssh-7.3
retarget unfinished bugs to next release
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back. To calibrate expectations, there's little chance all of these are going to make 7.6.
remove 7.5 target
Created attachment 3046 [details] updated to current This looks reasonable to me. Darren?
Patch applied. This will be in OpenSSH 7.6
commit aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba Author: djm@openbsd.org <djm@openbsd.org> Date: Thu Sep 14 04:32:21 2017 +0000 upstream commit Revert commitid: gJtIN6rRTS3CHy9b. ------------- identify the case where SSHFP records are missing but other DNS RR types are present and display a more useful error message for this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@ ------------- This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results are missing but the user already has the key in known_hosts Spotted by dtucker@ Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
Move to OpenSSH 7.8 tracking bug
So basically this needs to be rewritten to make the behaviour changes / warnings happen only after the key has been checked for in known_hosts.