Debian Bug report logs - #618863
/usr/bin/ssh: insecurely verifies host key with VerifyHostKeyDNS option

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Rob Leslie <rob@mars.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: /usr/bin/ssh: insecurely verifies host key with VerifyHostKeyDNS option

Date: Fri, 18 Mar 2011 19:41:36 -0700

Package: openssh-client
Version: 1:5.5p1-6
Severity: normal
File: /usr/bin/ssh
Tags: upstream

When the VerifyHostKeyDNS option is used, ssh attempts to verify unknown
remote host keys by looking up SSHFP records in DNS. It relies on the AD
(Authentic Data) flag in the response to determine whether the fingerprint
it receives has been cryptographically verified by the resolver (i.e. with
DNSSEC) and if so, may rely on the matching host key with no further
verification.

This is insecure because ssh has no guarantee the communication between
the local (stub) resolver and an external recursive resolver which does the
cryptographic validation has not been tampered with. An attacker could
easily forge a response to the local resolver with the AD flag set.

Even if the communication could be guaranteed to be secure, relying on the
AD flag is wrong for another reason: a recursive resolver which also
happens to be authoritative for a zone is not required to check the
validity of its authoritative answers or set the AD flag in such responses.
(It will, however, set the AA flag.) [See RFC 3655 sec. 2.2]

I'm not aware of a means by which applications can securely determine
the cryptographic validity of answers to DNS queries short of performing
their own validations.

A patch to perform local DNSSEC validation for all ssh DNS lookups is
apparently included as part of DNSSEC-Tools:

  http://www.dnssec-tools.org/readme/README.ssh

I would recommend that upstream consider integrating local DNSSEC
validations for all DNS lookups, and not rely on the AD flag at all.


-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'squeeze-updates')
Architecture: i386 (i686)

Kernel: Linux 2.6.38 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser     3.112+nmu2                   add and remove users and groups
ii  debconf [de 1.5.36.1                     Debian configuration management sy
ii  dpkg        1.15.8.10                    Debian package management system
ii  libc6       2.11.2-11                    Embedded GNU C Library: Shared lib
ii  libedit2    2.11-20080614-2              BSD editline and history libraries
ii  libgssapi-k 1.8.3+dfsg-4                 MIT Kerberos runtime libraries - k
ii  libssl0.9.8 0.9.8o-4squeeze1             SSL shared libraries
ii  passwd      1:4.1.4.2+svn3283-2+squeeze1 change and administer password and
ii  zlib1g      1:1.2.3.4.dfsg-3             compression library - runtime

Versions of packages openssh-client recommends:
ii  openssh-blacklist             0.4.1      list of default blacklisted OpenSS
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-client suggests:
ii  keychain                      2.6.8-2    key manager for OpenSSH
pn  libpam-ssh                    <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- no debconf information

Message #10 received at 618863@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Rob Leslie <rob@mars.org>, 618863@bugs.debian.org

Subject: Re: Bug#618863: /usr/bin/ssh: insecurely verifies host key with VerifyHostKeyDNS option

Date: Thu, 17 Jan 2013 23:41:18 +0100

[Message part 1 (text/plain, inline)]

On Fri, Mar 18, 2011 at 07:41:36PM -0700, Rob Leslie wrote:
> When the VerifyHostKeyDNS option is used, ssh attempts to verify unknown
> remote host keys by looking up SSHFP records in DNS. It relies on the AD
> (Authentic Data) flag in the response to determine whether the fingerprint
> it receives has been cryptographically verified by the resolver (i.e. with
> DNSSEC) and if so, may rely on the matching host key with no further
> verification.

Interestingly the default changed from "yes" to "no" at some point.

openssh (1:5.4p1-2) unstable; urgency=low

  * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
    installed, the host key is published in an SSHFP RR secured with DNSSEC,
    and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
    verification (closes: #572049).
[…]

 -- Colin Watson <cjwatson@debian.org>  Sat, 10 Apr 2010 01:08:59 +0100

And I just had to flip it on manually. The manual page also says that
it's off byd efault.

The problem with authoriative servers not setting AD is also something I
personally experienced and which is quite annoying. But then I agree
that authoriative and recursor should be split nowadays, although it's a
bit hard to do in a home network environment.

Kind regards
Philipp Kern

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 618863@bugs.debian.org (full text, mbox, reply):

From: Richard Salts <dbts@spectralmud.org>

To: Debian Bug Tracking System <618863@bugs.debian.org>

Subject: Re: /usr/bin/ssh: insecurely verifies host key with VerifyHostKeyDNS option

Date: Mon, 29 Jul 2013 17:45:43 +1000

Package: openssh-client
Version: 1:6.0p1-4
Followup-For: Bug #618863

openssh now includes a configure option to link to ldns for verification of
the dnssec service rather than relying on the +ad bit in a response for a
resolver. Maybe it would be worth adding that to the configuration options on
the deb ( although probably not necessary on the udeb).

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (900, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-client depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.10
ii  libc6                  2.13-38
ii  libedit2               2.11-20080614-5
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1e-2
ii  passwd                 1:4.1.5.1-1
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-client recommends:
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth                    1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
ii  ssh-askpass   1:1.2.4.1-9

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information

Message #20 received at 618863@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: Debian Bug Tracking System <618863@bugs.debian.org>

Subject: Re: /usr/bin/ssh: insecurely verifies host key with VerifyHostKeyDNS option

Date: Thu, 12 Nov 2015 16:26:21 +1300

[Message part 1 (text/plain, inline)]

Package: openssh-client
Version: 1:6.9p1-2+b1
Followup-For: Bug #618863

It appears that /usr/bin/ssh still does not verify the DNS
information properly. What's the status of this issue? What is
upstream's take? Has this issue been taken upstream?

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.18.3
ii  libc6             2.19-22
ii  libedit2          3.1-20150325-1
ii  libgssapi-krb5-2  1.13.2+dfsg-4
ii  libselinux1       2.3-2+b1
ii  libssl1.0.2       1.0.2d-3
ii  passwd            1:4.2-3
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
ii  monkeysphere                     0.37-3
ii  ssh-askpass-gnome [ssh-askpass]  1:6.9p1-2+b1

-- debconf-show failed


-- 
 .''`.   martin f. krafft <madduck@d.o> @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems

[digital_signature_gpg.asc (application/pgp-signature, inline)]

Message #25 received at 618863@bugs.debian.org (full text, mbox, reply):

From: sergio <sergio+it@outerface.net>

To: 618863@bugs.debian.org

Subject: related openssh bug

Date: Mon, 1 Apr 2019 06:18:45 +0300

https://bugzilla.mindrot.org/show_bug.cgi?id=2119

-- 
sergio.

-- 
sergio.

Send a report that this bug log contains spam.