[Bug 1898590] Re: Verify DNS fingerprints not working
Christian Ehrhardt
1898590 at bugs.launchpad.net
Wed Oct 14 09:45:06 UTC 2020
Turns out this seems to be a never ending story and you might have found
a comeback of that issue for your particular configuration as you say
this worked on 18.04 but fails on 20.04.
This goes way back
https://bugzilla.mindrot.org/show_bug.cgi?id=1455
Or half way back
https://trac.macports.org/ticket/49007
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618863
https://bugzilla.mindrot.org/show_bug.cgi?id=2119
Other more recent similar issues were around "options edns0" being required to be set for this to work now:
https://github.com/NixOS/nixpkgs/issues/12470
https://exanames.typepad.com/blog/2009/06/one-more-thing-to-do-with-dnssec-ssh.html
https://bugzilla.redhat.com/show_bug.cgi?id=1630180
https://bugzilla.redhat.com/show_bug.cgi?id=1878166
Note: that option was the default for /etc/resolv.conf on Bionic/Focal for me.
Various working setups seem to have been affected by 7.5
https://lists.mindrot.org/pipermail/openssh-bugs/2017-April/017631.html
https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-January/036600.html
https://bugzilla.mindrot.org/show_bug.cgi?id=2708
But Bionic -> Focal is openssh version 7.6 -> 8.3
Multiple of the above and some other references refer to requiring ldns support.
That clearly is in openssh since ~v6 but we don't enable it at build time
libldns support: no
Is that required and is it now more required than before - I don't know :-/
Sorry, all that I could provide so far was a collection of a (disturbing) history of that feature.
** Bug watch added: OpenSSH Portable Bugzilla #1455
https://bugzilla.mindrot.org/show_bug.cgi?id=1455
** Bug watch added: trac.macports.org #49007
http://trac.macports.org/ticket/49007
** Bug watch added: Debian Bug tracker #618863
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618863
** Bug watch added: OpenSSH Portable Bugzilla #2119
https://bugzilla.mindrot.org/show_bug.cgi?id=2119
** Bug watch added: github.com/NixOS/nixpkgs/issues #12470
https://github.com/NixOS/nixpkgs/issues/12470
** Bug watch added: Red Hat Bugzilla #1630180
https://bugzilla.redhat.com/show_bug.cgi?id=1630180
** Bug watch added: Red Hat Bugzilla #1878166
https://bugzilla.redhat.com/show_bug.cgi?id=1878166
** Bug watch added: OpenSSH Portable Bugzilla #2708
https://bugzilla.mindrot.org/show_bug.cgi?id=2708
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590
Title:
Verify DNS fingerprints not working
Status in openssh package in Ubuntu:
Confirmed
Bug description:
When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints are fetched, but the result is always:
debug1: found n insecure fingerprints in DNS
With dig +dnssec -tsshfp hostname the result is ok: ad flg is set.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1898590/+subscriptions
More information about the foundations-bugs
mailing list