Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Aug 2013 18:22:09 +0100 (BST)
From:      Gavin Atkinson <gavin@FreeBSD.org>
To:        Ralph Holz <holz@net.in.tum.de>
Cc:        bugbusters@freebsd.org
Subject:   Re: Wrong SSHFP on FreeBSD servers
Message-ID:  <alpine.BSF.2.00.1308151749460.88779@thunderhorn.york.ac.uk>
In-Reply-To: <520CDDB5.8080307@net.in.tum.de>
References:  <520CDDB5.8080307@net.in.tum.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--830102327-783095124-1376587329=:88779
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Thu, 15 Aug 2013, Ralph Holz wrote:
> Dear FreeBSD team,
>=20
> I am not sure if I got the right mail address, but nevertheless:

It's not the right email address, but I'll see if I can help - and if=20
not, I'll forward your email on to the right people.

> A routine scan of SSH and DNS has marked the following of your domains
> as presenting inaccurate SSHFP resource records. Can you confirm this?

As far as I can tell, the records are correct.  I'd be interested in=20
knowing why you think they are wrong...

Just picking the top three from your list:

>  pkg-master.freebsd.org
>  ref8-amd64.freebsd.org
>  admin0.nyi.freebsd.org

gavin@freefall:/home/gavin 101% dig sshfp pkg-master.freebsd.org
[...]
pkg-master.freebsd.org. 2925    IN      SSHFP   1 1 F9649EA3087196CEC3E95A3=
D57F2D9FE2C2BAA51
pkg-master.freebsd.org. 2925    IN      SSHFP   1 2 646A119A9822F1FDBD43CE7=
37B61AED68909CF7A6DB967D34CDDD2DA 4F65FF93
pkg-master.freebsd.org. 2925    IN      SSHFP   2 1 7764B5F462C11EA20AF9BA2=
84DC9D64F2FBCED98
pkg-master.freebsd.org. 2925    IN      SSHFP   2 2 A6E58FF7F28C17FAFD1AF95=
31FACF8F7C5E03B7FF2D3503731B93BF9 393C2171
pkg-master.freebsd.org. 2925    IN      SSHFP   3 1 D2A7DA2E3D1D2C2533544CB=
3BAEC9F8BFDB17010
pkg-master.freebsd.org. 2925    IN      SSHFP   3 2 79CB56F5E0693F1A691ABBA=
5A40BB2A0DC3EEC50F24AF82AFB7050AB E7D1AD44

(and logged onto pkg-master.freebsd.org:)
> ssh-keygen -r localhost
localhost IN SSHFP 1 1 f9649ea3087196cec3e95a3d57f2d9fe2c2baa51
localhost IN SSHFP 1 2 646a119a9822f1fdbd43ce737b61aed68909cf7a6db967d34cdd=
d2da4f65ff93
localhost IN SSHFP 2 1 7764b5f462c11ea20af9ba284dc9d64f2fbced98
localhost IN SSHFP 2 2 a6e58ff7f28c17fafd1af9531facf8f7c5e03b7ff2d3503731b9=
3bf9393c2171
localhost IN SSHFP 3 1 d2a7da2e3d1d2c2533544cb3baec9f8bfdb17010
localhost IN SSHFP 3 2 79cb56f5e0693f1a691abba5a40bb2a0dc3eec50f24af82afb70=
50abe7d1ad44


gavin@freefall:/home/gavin 102% dig sshfp ref8-amd64.freebsd.org
[...]
;; ANSWER SECTION:
ref8-amd64.freebsd.org. 3600    IN      SSHFP   1 1 70892BE73E725D8F93F7931=
4FF17B415B7FEFA53
ref8-amd64.freebsd.org. 3600    IN      SSHFP   1 2 011C80E6248A613542745BB=
6648FAF7F7798494B9E545AD7FEC1186F 5F89E97C
ref8-amd64.freebsd.org. 3600    IN      SSHFP   2 1 9B54EB4DAAEFDD5BD757881=
F39488DD66727ACAB
ref8-amd64.freebsd.org. 3600    IN      SSHFP   2 2 58FC35CD7049012DAE97DD7=
EC903354156CBE737C76E8C59444EAAB1 A9398906
ref8-amd64.freebsd.org. 3600    IN      SSHFP   3 1 739DE449007C61783777EF0=
7024C503071B3849A
ref8-amd64.freebsd.org. 3600    IN      SSHFP   3 2 EF09E85770695C4C24A3F01=
71457CE72388112DD9236115FF1DE7191 8CD6B10A

(and logged onto ref8-amd64.freebsd.org:)
104% ssh-keygen -r localhost
localhost IN SSHFP 1 1 70892be73e725d8f93f79314ff17b415b7fefa53
localhost IN SSHFP 1 2 011c80e6248a613542745bb6648faf7f7798494b9e545ad7fec1=
186f5f89e97c
localhost IN SSHFP 2 1 9b54eb4daaefdd5bd757881f39488dd66727acab
localhost IN SSHFP 2 2 58fc35cd7049012dae97dd7ec903354156cbe737c76e8c59444e=
aab1a9398906
localhost IN SSHFP 3 1 739de449007c61783777ef07024c503071b3849a
localhost IN SSHFP 3 2 ef09e85770695c4c24a3f0171457ce72388112dd9236115ff1de=
71918cd6b10a


gavin@freefall:/home/gavin 103% dig sshfp admin0.nyi.freebsd.org
[...]
;; ANSWER SECTION:
admin0.nyi.freebsd.org. 3600    IN      SSHFP   1 1 623FA95A5F643A5943BF36F=
7719287616492E28B
admin0.nyi.freebsd.org. 3600    IN      SSHFP   1 2 1059CC96B56DBD2CD23454A=
E4F5C74BCD145EF27FE8B06659083F866 8CAB0589
admin0.nyi.freebsd.org. 3600    IN      SSHFP   2 1 35944945A1FAA03DD28CF4A=
0E1FBB157EB9F9683
admin0.nyi.freebsd.org. 3600    IN      SSHFP   2 2 7B6A17F76E302013F0F7525=
1E7E50650BC9B9E0AE5CB44CE57C07F66 369CE622
admin0.nyi.freebsd.org. 3600    IN      SSHFP   3 1 F88889BB1BF296EF887FE16=
EBCC00F7CB0687D5D
admin0.nyi.freebsd.org. 3600    IN      SSHFP   3 2 4F0077E3DEFF1545105C24C=
95B8D128D14235ACA66B4C9E2166CBBBB 63F88AA4

(and logged onto admin0.nyi.freebsd.org:)
localhost IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28b
localhost IN SSHFP 1 2 1059cc96b56dbd2cd23454ae4f5c74bcd145ef27fe8b06659083=
f8668cab0589
localhost IN SSHFP 2 1 35944945a1faa03dd28cf4a0e1fbb157eb9f9683
localhost IN SSHFP 2 2 7b6a17f76e302013f0f75251e7e50650bc9b9e0ae5cb44ce57c0=
7f66369ce622
localhost IN SSHFP 3 1 f88889bb1bf296ef887fe16ebcc00f7cb0687d5d
localhost IN SSHFP 3 2 4f0077e3deff1545105c24c95b8d128d14235aca66b4c9e2166c=
bbbb63f88aa4

All three appear to match up.

> I don't think it's a serious problem - no one seems to use these RR and
> we only found 3 (!) accurate RRs in our database... but still, I thought
> you might like to know.

Heh.  We're actually using SSHFP (and DANE) now quite heavily - at least,=
=20
we're trying to publish records for everythign.  I have no idea how many=20
users use them, though I suspect if there were issues people would have=20
complained by now.

The fact that you have only found three accurate RRs suggests that maybe=20
the issue is at your end.  Here's my theory: You're using "ssh-keygen -r",=
=20
to generate your data, and misunderstanding exactly what the argument to=20
-r means.  Note that the argument to -r is not "show me fingerprints for=20
this host" but "show me fingerprints for the host I'm logged into, with=20
DNS entries suitable for this host".  Or, to put it another way (all run=20
from admin0.nyi.freebsd.org):

> ssh-keygen -r admin0.nyi.freebsd.org |grep "SSHFP 1 1"
admin0.nyi.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28=
b
> ssh-keygen -r ref8-amd64.freebsd.org | grep "SSHFP 1 1"
ref8-amd64.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28=
b
> ssh-keygen -r pkg-master.freebsd.org | grep "SSHFP 1 1"
pkg-master.freebsd.org IN SSHFP 1 1 623fa95a5f643a5943bf36f7719287616492e28=
b

i.e. all show the same fingerprint - that of the local machine.  Let me=20
further guess: Are the only three accurate RRs in your database those of=20
the machines you are running the tests from? :-)

Let me know if you get to the bottom of it, I am interested in the=20
outcome.

Thanks,

Gavin

>=20
> Thanks,
> Ralph
>=20
>  pkg-master.freebsd.org
>  ref8-amd64.freebsd.org
>  admin0.nyi.freebsd.org
>  routerer.freebsd.org
>  portsmon.freebsd.org
>  nova.freebsd.org
>  bake.isc.freebsd.org
>  admbas1.isc.freebsd.org
>  package2.nyi.freebsd.org
>  admbas1.nyi.freebsd.org
>  vcs.nyi.freebsd.org
>  admauth0.isc.freebsd.org
>  repo.freebsd.org
>  package17.nyi.freebsd.org
>  admin1.nyi.freebsd.org
>  igw0.bme.freebsd.org
>  admin.bme.freebsd.org
>  package12.nyi.freebsd.org
>  bgp0-ext.ysv.freebsd.org
>  ps.isc.freebsd.org
>  gohan13.freebsd.org
>  beefy1.isc.freebsd.org
>  gohan12.freebsd.org
>  igw1.isc.freebsd.org
>  package5.nyi.freebsd.org
>  admauth1.nyi.freebsd.org
>  admauth1.isc.freebsd.org
>  gohan61.freebsd.org
>  ref9-amd64.freebsd.org
>  vm0.freebsd.org
>  package11.nyi.freebsd.org
>  pkg-mirror0.nyi.freebsd.org
>  repoman2.freebsd.org
>  admin.isc.freebsd.org
>  gohan10.freebsd.org
>  snap.freebsd.org
>  skunkworks.freebsd.org
>  mailspool.freebsd.org
>  bhyve.freebsd.org
>  stream.freebsd.org
>  admauth0.nyi.freebsd.org
>  bbig.ysv.freebsd.org
>  stench.freebsd.org
>  package9.nyi.freebsd.org
>  ref10-amd64.freebsd.org
>  pb2.nyi.freebsd.org
>  package13.nyi.freebsd.org
>  halo.freebsd.org
>  ref10-i386.freebsd.org
>  ray.bme.freebsd.org
>  beefy2.isc.freebsd.org
>  mailhub.freebsd.org
>  igw1.bme.freebsd.org
>  routerer-ext.ysv.freebsd.org
>  pointyhat-east.nyi.freebsd.org
>  nbk0.nyi.freebsd.org
>  pluto.freebsd.org
>  admbas0.isc.freebsd.org
>  cook.isc.freebsd.org
>  worm.freebsd.org
>  package8.nyi.freebsd.org
>  ybk.ysv.freebsd.org
>  bgp0.ysv.freebsd.org
>  igw0.isc.freebsd.org
>  svn.freebsd.org
>  package4.nyi.freebsd.org
>  flame.freebsd.org
>  foundation.freebsd.org
>  freefall.freebsd.org
>  service2.freebsd.org
>  fif0.nyi.freebsd.org
>  package14.nyi.freebsd.org
>  package3.nyi.freebsd.org
>  bit-master.freebsd.org
>  package16.nyi.freebsd.org
>  igw0.nyi.freebsd.org
>  portsindexbuild.ysv.freebsd.org
>  routerest-ext.ysv.freebsd.org
> --=20
> Ralph Holz
> I8 - Network Architectures and Services
> Technische Universit=E4t M=FCnchen
> http://www.net.in.tum.de/de/mitarbeiter/holz/
> Phone +49.89.289.18043
> PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF
> _______________________________________________
> freebsd-bugbusters@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters
> To unsubscribe, send any mail to "freebsd-bugbusters-unsubscribe@freebsd.=
org"
>=20
--830102327-783095124-1376587329=:88779--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1308151749460.88779>