svn commit: r466577 - in head/security/openssh-portable: . files

[Craig Leres]

On 04/05/18 11:20, Bryan Drewery wrote:
> Log:
>    Update to 7.7p1

This version breaks sshfp support when you don't use the fully qualified 
domain name with "VerifyHostKeyDNS yes". Here's 7.6.p1_3,1:

     hot 7 % ssh -v zinc
     [...]
     debug1: found 8 secure fingerprints in DNS
     debug1: matching host key fingerprint found in DNS

Here's 7.7.p1,1:

     vet 17 % ssh -v zinc
     [...]
     DNS lookup error: general failure
     No ECDSA host key is known for zinc and you have requested strict 
checking.
     Host key verification failed.

It works as with the previous version if I use zinc.ee.lbl.gov.

Looking at the release notes I see:

     ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
     convert any certificate keys to plain keys and attempt SSHFP
     resolution.  Prevents a server from skipping SSHFP lookup and
     forcing a new-hostkey dialog by offering only certificate keys.

I'm guessing this inadvertently broke non FQDN sshfp?

		Craig