Debian Bug report logs -
#960023
SSHFP stops working with libc6 2.31 [AD bit stripped]
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, laney@debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#960023; Package ssh,systemd.
(Fri, 08 May 2020 12:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Iain Lane <laney@debian.org>:
New Bug report received and forwarded. Copy sent to laney@debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Fri, 08 May 2020 12:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ssh,systemd
Severity: normal
Hey
I've just been playing with SSHFP as a way of verifying SSH host keys
(VerifyHostKeyDNS=yes) when I can trust my local DNS resolver. I was
trying on Ubuntu 20.04 and I could just *not* get it to work. It was
considering the response to be untrusted. I'll spare you all of the
tedious details of the many things I tried, but it comes down to this.
As of 2.31, glibc's stub resolver is stripping the AD (authenticated
data) bit from resposes that it receives from its upstream name servers.
This is documented in the release notes for 2.31:
* The DNS stub resolver will optionally send the AD (authenticated
data) bit in queries if the trust-ad option is set via the options
directive in /etc/resolv.conf (or if RES_TRUSTAD is set in
_res.options). In this mode, the AD bit, as provided by the name
server, is available to applications which call res_search and
related functions. In the default mode, the AD bit is not set in
queries, and it is automatically cleared in responses, indicating a
lack of DNSSEC validation. (Therefore, the name servers and the
network path to them are treated as untrusted.)
and a couple of relevant links
https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/461
https://bugzilla.redhat.com/show_bug.cgi?id=1164339#c15
I'm filing this on *both* SSH and systemd, since I think either or both
are places that might want to consider being altered to account for
this and I'd be interested in the maintainers' opinions.
openssh
=======
In Debian we are patching ssh to unconditionally send EDNS0, even if not
specified in /etc/resolve.conf, in an effort to support this feature.
Sending TRUSTAD too is arguably in keeping with the spirit of this
patch. I tried this in the attached patch and it works.
systemd
=======
systemd-resolved similarly adds 'options edns0' to resolv.conf files it
generates for its stub resolver. It could be extended (untested) to add
the 'trust-ad' option.
Counterargument
===============
I'm not very well-read here yet, but it seems like this is done because
AD can be faked by malicious resolvers, and so the argument is that it's
not safe to trust it unless you know you're in a trusted environment. In
that light, perhaps what ssh and systemd are doing (adding edns0 to make
the AD bit be sent automatically) is working against upstream glibc's
goal, and so we shouldn't do this for users without their opt-in? This
is where I'd appreciate the input of wiser heads.
If this type of argument is accepted, it would be good to provide a
simple way to turn trust-ad on so that people can do it when they are on
trusted networks. (Maybe even with higher-level support from something
like network-manager too.)
Cheers,
--
Iain Lane [ iain@orangesquash.org.uk ]
Debian Developer [ laney@debian.org ]
Ubuntu Developer [ laney@ubuntu.com ]
[ssh_res_trustad.patch (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#960023; Package ssh,systemd.
(Sun, 10 May 2020 07:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Sun, 10 May 2020 07:36:03 GMT) (full text, mbox, link).
Message #10 received at 960023@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Iain
Am 08.05.20 um 14:32 schrieb Iain Lane:
> systemd
> =======
>
> systemd-resolved similarly adds 'options edns0' to resolv.conf files it
> generates for its stub resolver. It could be extended (untested) to add
> the 'trust-ad' option.
Could you please raise this at
https://github.com/systemd/systemd/issues
To me this sounds like something that should be discussed (and
eventually implemented) upstream .
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#960023; Package ssh,systemd.
(Sun, 10 May 2020 08:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Iain Lane <laney@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Sun, 10 May 2020 08:39:04 GMT) (full text, mbox, link).
Message #15 received at 960023@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://github.com/systemd/systemd/issues/15767
On Sun, May 10, 2020 at 09:33:34AM +0200, Michael Biebl wrote:
> Hi Iain
>
> Am 08.05.20 um 14:32 schrieb Iain Lane:
> > systemd
> > =======
> >
> > systemd-resolved similarly adds 'options edns0' to resolv.conf files it
> > generates for its stub resolver. It could be extended (untested) to add
> > the 'trust-ad' option.
>
>
> Could you please raise this at
> https://github.com/systemd/systemd/issues
>
> To me this sounds like something that should be discussed (and
> eventually implemented) upstream .
Of course. I filed it here because I wanted to see if the Debian
maintainers had any thoughts first (and because the SSH behaviour is a
Debian patch).
Here you go: https://github.com/systemd/systemd/issues/15767
Cheers,
--
Iain Lane [ iain@orangesquash.org.uk ]
Debian Developer [ laney@debian.org ]
Ubuntu Developer [ laney@ubuntu.com ]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 16 Jul 2020 17:21:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>:
Bug#960023; Package ssh,systemd.
(Mon, 27 Jul 2020 19:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>.
(Mon, 27 Jul 2020 19:39:05 GMT) (full text, mbox, link).
Message #24 received at 960023@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: reassing -1 ssh
Control: found -1 1:8.3p1-1
Control: notforwarded -1
Hi Iain
Am 10.05.20 um 10:25 schrieb Iain Lane:
> Control: forwarded -1 https://github.com/systemd/systemd/issues/15767
>
> On Sun, May 10, 2020 at 09:33:34AM +0200, Michael Biebl wrote:
>> Hi Iain
>>
>> Am 08.05.20 um 14:32 schrieb Iain Lane:
>>> systemd
>>> =======
>>>
>>> systemd-resolved similarly adds 'options edns0' to resolv.conf files it
>>> generates for its stub resolver. It could be extended (untested) to add
>>> the 'trust-ad' option.
>>
>>
>> Could you please raise this at
>> https://github.com/systemd/systemd/issues
>>
>> To me this sounds like something that should be discussed (and
>> eventually implemented) upstream .
>
> Of course. I filed it here because I wanted to see if the Debian
> maintainers had any thoughts first (and because the SSH behaviour is a
> Debian patch).
>
> Here you go: https://github.com/systemd/systemd/issues/15767
In the mean time,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965371 was filed as a
duplicate of this bug report.
I'm going to keep #965371 assigned to systemd and will reassign this one
to ssh.
Regards,
Michael
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions openssh/1:8.3p1-1.
Request was from Michael Biebl <biebl@debian.org>
to 960023-submit@bugs.debian.org.
(Mon, 27 Jul 2020 19:39:05 GMT) (full text, mbox, link).
Unset Bug forwarded-to-address
Request was from Michael Biebl <biebl@debian.org>
to 960023-submit@bugs.debian.org.
(Mon, 27 Jul 2020 19:39:05 GMT) (full text, mbox, link).
Bug reassigned from package 'ssh,systemd' to 'ssh'.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Mon, 27 Jul 2020 20:00:05 GMT) (full text, mbox, link).
No longer marked as found in versions openssh/1:8.3p1-1.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Mon, 27 Jul 2020 20:00:05 GMT) (full text, mbox, link).
Removed tag(s) fixed-upstream.
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org.
(Mon, 27 Jul 2020 20:00:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 8 02:22:18 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.