Wrong SSHFP on FreeBSD servers
Gavin Atkinson
gavin at FreeBSD.org
Thu Aug 15 17:28:40 UTC 2013
On Thu, 15 Aug 2013, Ralph Holz wrote:
> Dear FreeBSD team,
>
> I am not sure if I got the right mail address, but nevertheless:
It's not the right email address, but I'll see if I can help - and if
not, I'll forward your email on to the right people.
> A routine scan of SSH and DNS has marked the following of your domains
> as presenting inaccurate SSHFP resource records. Can you confirm this?
As far as I can tell, the records are correct. I'd be interested in
knowing why you think they are wrong...
Just picking the top three from your list:
> pkg-master.freebsd.org
> ref8-amd64.freebsd.org
> admin0.nyi.freebsd.org
gavin at freefall:/home/gavin 101% dig sshfp pkg-master.freebsd.org
[...]
pkg-master.freebsd.org. 2925 IN SSHFP 1 1 F9649EA3087196CEC3E95A3D57F2D9FE2C2BAA51
pkg-master.freebsd.org. 2925 IN SSHFP 1 2 646A119A9822F1FDBD43CE737B61AED68909CF7A6DB967D34CDDD2DA 4F65FF93
pkg-master.freebsd.org. 2925 IN SSHFP 2 1 7764B5F462C11EA20AF9BA284DC9D64F2FBCED98
pkg-master.freebsd.org. 2925 IN SSHFP 2 2 A6E58FF7F28C17FAFD1AF9531FACF8F7C5E03B7FF2D3503731B93BF9 393C2171
pkg-master.freebsd.org. 2925 IN SSHFP 3 1 D2A7DA2E3D1D2C2533544CB3BAEC9F8BFDB17010
pkg-master.freebsd.org. 2925 IN SSHFP 3 2 79CB56F5E0693F1A691ABBA5A40BB2A0DC3EEC50F24AF82AFB7050AB E7D1AD44
(and logged onto pkg-master.freebsd.org:)
> ssh-keygen -r localhost
localhost IN SSHFP 1 1 f9649ea3087196cec3e95a3d57f2d9fe2c2baa51
localhost IN SSHFP 1 2 646a119a9822f1fdbd43ce737b61aed68909cf7a6db967d34cddd2da4f65ff93
localhost IN SSHFP 2 1 7764b5f462c11ea20af9ba284dc9d64f2fbced98
localhost IN SSHFP 2 2 a6e58ff7f28c17fafd1af9531facf8f7c5e03b7ff2d3503731b93bf9393c2171
localhost IN SSHFP 3 1 d2a7da2e3d1d2c2533544cb3baec9f8bfdb17010
localhost IN SSHFP 3 2 79cb56f5e0693f1a691abba5a40bb2a0dc3eec50f24af82afb7050abe7d1ad44
gavin at freefall:/home/gavin 102% dig sshfp ref8-amd64.freebsd.org
[...]
;; ANSWER SECTION:
ref8-amd64.freebsd.org. 3600 IN SSHFP 1 1 70892BE73E725D8F93F79314FF17B415B7FEFA53
ref8-amd64.freebsd.org. 3600 IN SSHFP 1 2 011C80E6248A613542745BB6648FAF7F7798494B9E545AD7FEC1186F 5F89E97C
ref8-amd64.freebsd.org. 3600 IN SSHFP 2 1 9B54EB4DAAEFDD5BD757881F39488DD66727ACAB
ref8-amd64.freebsd.org. 3600 IN SSHFP 2 2 58FC35CD7049012DAE97DD7EC903354156CBE737C76E8C59444EAAB1 A9398906
ref8-amd64.freebsd.org. 3600 IN SSHFP 3 1 739DE449007C61783777EF07024C503071B3849A
ref8-amd64.freebsd.org. 3600 IN SSHFP 3 2 EF09E85770695C4C24A3F0171457CE72388112DD9236115FF1DE7191 8CD6B10A
(and logged onto ref8-amd64.freebsd.org:)
104% ssh-keygen -r localhost
localhost IN SSHFP 1 1 70892be73e725d8f93f79314ff17b415b7fefa53
localhost IN SSHFP 1 2 011c80e6248a613542745bb6648faf7f7798494b9e545ad7fec1186f5f89e97c
localhost IN SSHFP 2 1 9b54eb4daaefdd5bd757881f39488dd66727acab
localhost IN SSHFP 2 2 58fc35cd7049012dae97dd7ec903354156cbe737c76e8c59444eaab1a9398906
localhost IN SSHFP 3 1 739de449007c61783777ef07024c503071b3849a
localhost IN SSHFP 3 2 ef09e85770695c4c24a3f0171457ce72388112dd9236115ff1de71918cd6b10a
gavin at freefall:/home/gavin 103% dig sshfp admin0.nyi.freebsd.org
[...]
;; ANSWER SECTION:
admin0.nyi.freebsd.org. 3600 IN SSHFP 1 1 623FA95A5F643A5943BF36F7719287616492E28B
admin0.nyi.freebsd.org. 3600 IN SSHFP 1 2 1059CC96B56DBD2CD23454AE4F5C74BCD145EF27FE8B06659083F866 8CAB0589
admin0.nyi.freebsd.org. 3600 IN SSHFP 2 1 35944945A1FAA03DD28CF4A0E1FBB157EB9F9683
admin0.nyi.freebsd.org. 3600 IN SSHFP 2 2 7B6A17F76E302013F0F75251E7E50650BC9B9E0AE5CB44CE57C07F66 369CE622
admin0.nyi.freebsd.org. 3600 IN SSHFP 3 1 F88889BB1BF296EF887FE16EBCC00F7CB0687D5D
admin0.nyi.freebsd.org. 3600 IN SSHFP 3 2 4F0077E3DEFF1545105C24C95B8D128D14235ACA66B4C9E2166CBBBB 63F88AA4
(and logged onto admin0.nyi.freebsd.org:)
localhost IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28b
localhost IN SSHFP 1 2 1059cc96b56dbd2cd23454ae4f5c74bcd145ef27fe8b06659083f8668cab0589
localhost IN SSHFP 2 1 35944945a1faa03dd28cf4a0e1fbb157eb9f9683
localhost IN SSHFP 2 2 7b6a17f76e302013f0f75251e7e50650bc9b9e0ae5cb44ce57c07f66369ce622
localhost IN SSHFP 3 1 f88889bb1bf296ef887fe16ebcc00f7cb0687d5d
localhost IN SSHFP 3 2 4f0077e3deff1545105c24c95b8d128d14235aca66b4c9e2166cbbbb63f88aa4
All three appear to match up.
> I don't think it's a serious problem - no one seems to use these RR and
> we only found 3 (!) accurate RRs in our database... but still, I thought
> you might like to know.
Heh. We're actually using SSHFP (and DANE) now quite heavily - at least,
we're trying to publish records for everythign. I have no idea how many
users use them, though I suspect if there were issues people would have
complained by now.
The fact that you have only found three accurate RRs suggests that maybe
the issue is at your end. Here's my theory: You're using "ssh-keygen -r",
to generate your data, and misunderstanding exactly what the argument to
-r means. Note that the argument to -r is not "show me fingerprints for
this host" but "show me fingerprints for the host I'm logged into, with
DNS entries suitable for this host". Or, to put it another way (all run
from admin0.nyi.freebsd.org):
> ssh-keygen -r admin0.nyi.freebsd.org |grep "SSHFP 1 1"
admin0.nyi.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28b
> ssh-keygen -r ref8-amd64.freebsd.org | grep "SSHFP 1 1"
ref8-amd64.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28b
> ssh-keygen -r pkg-master.freebsd.org | grep "SSHFP 1 1"
pkg-master.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28b
i.e. all show the same fingerprint - that of the local machine. Let me
further guess: Are the only three accurate RRs in your database those of
the machines you are running the tests from? :-)
Let me know if you get to the bottom of it, I am interested in the
outcome.
Thanks,
Gavin
>
> Thanks,
> Ralph
>
> pkg-master.freebsd.org
> ref8-amd64.freebsd.org
> admin0.nyi.freebsd.org
> routerer.freebsd.org
> portsmon.freebsd.org
> nova.freebsd.org
> bake.isc.freebsd.org
> admbas1.isc.freebsd.org
> package2.nyi.freebsd.org
> admbas1.nyi.freebsd.org
> vcs.nyi.freebsd.org
> admauth0.isc.freebsd.org
> repo.freebsd.org
> package17.nyi.freebsd.org
> admin1.nyi.freebsd.org
> igw0.bme.freebsd.org
> admin.bme.freebsd.org
> package12.nyi.freebsd.org
> bgp0-ext.ysv.freebsd.org
> ps.isc.freebsd.org
> gohan13.freebsd.org
> beefy1.isc.freebsd.org
> gohan12.freebsd.org
> igw1.isc.freebsd.org
> package5.nyi.freebsd.org
> admauth1.nyi.freebsd.org
> admauth1.isc.freebsd.org
> gohan61.freebsd.org
> ref9-amd64.freebsd.org
> vm0.freebsd.org
> package11.nyi.freebsd.org
> pkg-mirror0.nyi.freebsd.org
> repoman2.freebsd.org
> admin.isc.freebsd.org
> gohan10.freebsd.org
> snap.freebsd.org
> skunkworks.freebsd.org
> mailspool.freebsd.org
> bhyve.freebsd.org
> stream.freebsd.org
> admauth0.nyi.freebsd.org
> bbig.ysv.freebsd.org
> stench.freebsd.org
> package9.nyi.freebsd.org
> ref10-amd64.freebsd.org
> pb2.nyi.freebsd.org
> package13.nyi.freebsd.org
> halo.freebsd.org
> ref10-i386.freebsd.org
> ray.bme.freebsd.org
> beefy2.isc.freebsd.org
> mailhub.freebsd.org
> igw1.bme.freebsd.org
> routerer-ext.ysv.freebsd.org
> pointyhat-east.nyi.freebsd.org
> nbk0.nyi.freebsd.org
> pluto.freebsd.org
> admbas0.isc.freebsd.org
> cook.isc.freebsd.org
> worm.freebsd.org
> package8.nyi.freebsd.org
> ybk.ysv.freebsd.org
> bgp0.ysv.freebsd.org
> igw0.isc.freebsd.org
> svn.freebsd.org
> package4.nyi.freebsd.org
> flame.freebsd.org
> foundation.freebsd.org
> freefall.freebsd.org
> service2.freebsd.org
> fif0.nyi.freebsd.org
> package14.nyi.freebsd.org
> package3.nyi.freebsd.org
> bit-master.freebsd.org
> package16.nyi.freebsd.org
> igw0.nyi.freebsd.org
> portsindexbuild.ysv.freebsd.org
> routerest-ext.ysv.freebsd.org
> --
> Ralph Holz
> I8 - Network Architectures and Services
> Technische Universität München
> http://www.net.in.tum.de/de/mitarbeiter/holz/
> Phone +49.89.289.18043
> PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
> _______________________________________________
> freebsd-bugbusters at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters
> To unsubscribe, send any mail to "freebsd-bugbusters-unsubscribe at freebsd.org"
>
More information about the freebsd-bugbusters
mailing list