Date: Thu, 15 May 2014 11:00:17 -0400 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: "VerifyHostKeyDNS yes" does not work as expected Message-ID: <5374D681.5070901@FreeBSD.org> In-Reply-To: <20140515135405.GA52955@admin.sibptus.tomsk.ru> References: <20140515135405.GA52955@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lClax1UjU7ll6sfHoUqk1gVJq5q8L3M6v Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 15/05/2014 09:54, Victor Sudakov wrote: > Dear Colleagues, >=20 > I have "VerifyHostKeyDNS yes" set in ~/.ssh/config. Yet when I > connect to a host, I get: >=20 > $ ssh admin.sibptus.ru > The authenticity of host 'admin.sibptus.ru (212.73.125.240)' can't be e= stablished. > ECDSA key fingerprint is 83:ca:c0:af:42:5c:35:30:38:d7:78:e3:1d:c9:c2:3= e. > Matching host key fingerprint found in DNS. > Are you sure you want to continue connecting (yes/no)?=20 >=20 > Why does ssh not implicitly trust the key published in DNS? Why does > it ask me? >=20 > The "sibptus.ru" zone is DNSSEC enabled. The local resolver is > configured with "dnssec-validation auto". What else am I missing? >=20 > Thanks for any ideas. >=20 > Here is some debug: http://pastebin.com/q12R7RPH >=20 Your debug output suggests that ssh doesn't trust the SSHFP results from DNS -- which would seem to be a problem with DNSSEC on your domain. Given dnsviz.net confirms DNSSEC on your domain is fine, I guess you need to look into what your recursive resolver is doing with DNSSEC recor= ds. Also, VerifyHostKeyDNS yes is the default in recent FBSD. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --lClax1UjU7ll6sfHoUqk1gVJq5q8L3M6v Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTdNaHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT/HgP/AhC8bllWPm60LWtA/tBImuz gccFMpXu2fjvJGSTBAfMHGuVaU3Fcnx/4sXAMlUV/pO8ookhz8k9YQHiI/QuMBm8 HBwb6Qucj9tTHl+sck4NomVIcw4HnAo33IsSz8CPpRImJAg9W7xb7AJGuVTSvXcL nn0SiXDGhaClSztBquY+tx5PWZYab/qicwnBJc0BxzmOYpjb5OEitwK1DTjpL16q 7sFzOWIHxJNBjETeY+H7sb00owhH8UqHmW9Dxqd78tNgI8DZbecAz3YoiLlFnDuB F8GkZTSoru+POETvq/shSGlYapivJtITI/FuN1cJT/wsjJcJ6u7/ha+BLVl51+Kk Y7eTWPUaT6BBjpSCfT5r+WDV9XAUpbUW/PWrBuVFo0co5DI8p9Xf4aPvvEio3vTJ 2r752ZgWtFKnzRcMUPRpq3iB8MIwDLtLk4+TNE6VI7t9QX0K2d8UqFdi7lFmB5Sq UkDNCH0XfW7GabOHLm1Wj32nmNRBLL19nxwCwO6G3QhdlBRW7/emybwPCn/kdTrU RJgR6Yw16yH5DdOTyqHzSu4Rx10Yy5kKs7cDNZ2fgSZf8MnheD84++sBjF41vP9i GHbnKhvS9yY0jTX1iOrzSMgutzDZ9+TvhnbMKqbSRtde72CHGqMYnTj/bpJbhXVu TRVPEG9nkD922hGTqPoB =sn5Q -----END PGP SIGNATURE----- --lClax1UjU7ll6sfHoUqk1gVJq5q8L3M6v--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5374D681.5070901>