Package: openssh-client Version: 1:7.7p1-2 Severity: normal File: /usr/bin/ssh
Hello, I have on my work machine VerifyHostKeyDNS ask in my ~/.ssh/config and search mydomain in /etc/resolv.conf (anonimized though). With tcpdump -i $landev udp port 53 running on my local DNS server, I see the following requests logged when I do ssh anothermachine from my work machine: 07:52:23.446609 IP work.mydomain.53992 > dnsserver.mydomain.53: 64011+ A? anothermachine.mydomain. (47) 07:52:23.446741 IP work.mydomain.53992 > dnsserver.mydomain.53: 59411+ AAAA? anothermachine.mydomain. (47) 07:52:23.447450 IP dnsserver.mydomain.53 > work.mydomain.53992: 64011* 1/0/0 A 192.168.0.12 (63) 07:52:23.447762 IP dnsserver.mydomain.53 > work.mydomain.53992: 59411 0/0/0 (47) 07:52:23.504582 IP work.mydomain.57475 > dnsserver.mydomain.53: 36966+ [1au] SSHFP? anothermachine. (34) 07:52:23.507386 IP dnsserver.mydomain.53 > work.mydomain.57475: 36966* 0/0/1 (34) The request for "anothermachine.mydomain." can be replied by my local DNS server directly, the request "anothermachine." however is forwarded to the next upstream DNS server and so my intend to connect is leaked. I would expect that ssh asked for "SSHFP? anothermachine.mydomain." instead of "SSHFP? anothermachine." in this case. I didn't check the code, but I think the fix includes to add AI_CANONNAME to hints.ai_flags in the call to getaddrinfo(3) and use the returned ai_canonname for looking up the SSHFP DNS RR. Best regards Uwe -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (700, 'testing'), (600, 'unstable'), (500, 'unstable-debug'), (500, 'stable'), (499, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.117 ii dpkg 1.19.0.5 ii libbsd0 0.8.7-1 ii libc6 2.27-3 ii libedit2 3.1-20170329-1 ii libgssapi-krb5-2 1.16-2 ii libselinux1 2.7-2+b2 ii libssl1.0.2 1.0.2o-1 ii passwd 1:4.5-1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages openssh-client recommends: ii xauth 1:1.0.10-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information