[Bug 276410] security/openssh-portable: SSHFP/known_hosts issues when HPN is enabled (9.6.p1_1,1)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276410

            Bug ID: 276410
           Summary: security/openssh-portable: SSHFP/known_hosts issues
                    when HPN is enabled (9.6.p1_1,1)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: bdrewery@FreeBSD.org
          Reporter: leres@freebsd.org
             Flags: maintainer-feedback?(bdrewery@FreeBSD.org)
          Assignee: bdrewery@FreeBSD.org

The HPN patchset for openssh-portable was updated with b3f86656fc67 however
when enabled it causes issues with ssh. When a user specifies a destination
host that is not a fully qualified domain name (relying on the resolver search
path to complete the hostname) ssh is unable to find SSHFP records (even when
present) or known_host entries.

For example, given a resolv.conf with:

    search freebsd.org

Using the FQDN works as before:

    ice 146 % /usr/local/bin/ssh freefall.freebsd.org hostname
    freefall.freebsd.org

But using just the hostname does not:

    ice 147 % /usr/local/bin/ssh freefall hostname
    The authenticity of host 'freefall (2610:1c1:1:6074::16:84)' can't be
established.
ED25519 key fingerprint is SHA256:oJ7FKX5UTBWP4CncsrsaIb1JbfbtqzKOMYni3oVLAo0.
    No matching host key fingerprint found in DNS.
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])?

In this case tcpdump shows that "freefall.freebsd.org" is used for the A and
AAAA DNS lookups but "freefall." is queried when the SSHFP lookup happens.

Rebuilding with HPN disable solves this.

-- 
You are receiving this mail because:
You are the assignee for the bug.