FS#76779 - [openssh] should be compiled without ldns for secure SSHFP
Attached to Project:
Arch Linux
Opened by Mateusz Poliwczak (mateusz834) - Thursday, 08 December 2022, 14:16 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:14 GMT
Opened by Mateusz Poliwczak (mateusz834) - Thursday, 08 December 2022, 14:16 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:14 GMT
|
Details
When VerifyHostKeyDNS=yes is set, then the ssh client sends
a SSHFP DNS query for the SSH fingerprints.
Recently glibc introduced the trust-ad which strips the AD bit when the trust-ad option is not set in the resolv.conf, it seems that the ldns does not support this option so it blindly trusts the AD bit received from the dns query. So let's say that our resolv.conf looks like that: nameserver 1.1.1.1 optons ends0 Then when glibc receives the AD bit in the response from the 1.1.1.1 resolver the AD bit it removed (because we didn't specify that we trust it), but the ldns passes it as is to the application, which is insecure. |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:14 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/openssh/issues/2
Saturday, 25 November 2023, 20:14 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/openssh/issues/2
If I understand correctly ldns currently does not support options in resolve.conf [1]
Edit:
ldns passes its DNS queries through glibc?
[1] https://github.com/NLnetLabs/ldns/blob/release-1.7.1/resolver.c#L961
No
I don't know whether this should be fixed somehow in openssh, the trust-ad is not supported on all systems (like musl-based).
System's using the systemd-resolved rather than the glibc stub resolver would not be impacted by the change?
FWIW, AFAICT both Fedora and Debian appear to *not* build openssh against ldns, so Arch does differ here..