You may recall my speaking about SSH fingerprints about a year and a half ago, and that the situation wasn’t as clear-cut as I wished for. Well, yesterday I stumbled over a patch by Simon Vallet dated 2007 which adds ldns support to OpenSSH, thinking “why wasn’t that ever applied?”. Thankfully, Henk Jan Agteresch told me that it was indeed applied in April of this year.
The patch replaces the
getrrsetbyname() function with one which uses ldns
to obtain SSHFP records from the DNS. If the resolver responds with Authentic
Data (+AD) processing continues as it did in Jakob Schlyter’s original
getrrsetbyname(). The major difference in the patch (as I
see it) is that ldns can attempt autonomous validation by verifying the
signatures (RRSIG) in the DNS response, obtaining DNSKEYs as required in order
to do so.
I configured and built a copy of OpenSSH portable version 6.01P1, adding
./configure and installed that.
I have corresponding SSHFP records for the host
ubu.jpmens.org in the DNS,
and the zone is signed as it was during the initial test.
I start off by configuring my workstation to use a non-validating DNS server. (I’ve truncated lots of debugging output in the following for brevity.)
Nothing has changed: the connection succeeds, ssh informs us it has found
2 insecure fingerprints in the DNS (and correctly ignores them because they
haven’t been validated), doesn’t find the target host’s fingerprint in
known_hosts and asks me whether I really want to connect to that host
(supposedly I’ll verify the fingerprint out-of-band. Hah! :-).
Next attempt. This time I configure my workstation to use a validating DNS server.
The result is quite different: ssh finds SSHFP records in
the DNS, compares those to the host’s fingerprint (they match), determines the
DNS response is authentic (found 2 secure fingerprints in DNS), and continues
into the authentication phase to ask for my password. It doesn’t ask me to
validate the fingerprint because SSH trusts the authentic DNSSEC response. And
SSH doesn’t store the fingerprint in
.known_hosts either, which is fine – it
doesn’t have to.
That’s the way SSHFP should work.
Dear OS vendors and distribution packagers: please add
--with-ldns to OpenSSH ASAP. #kthxbye