https://bugzilla.mindrot.org/show_bug.cgi?id=3322
Darren Tucker <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Blocks| |3302 --- Comment #1 from Darren Tucker <[email protected]> --- I commented on the pull request too, but I don't think your change actually does anything. While iterating the rrset, the existing code uses the digest type from the DNS record: if (hostkey_digest_type != dnskey_digest_type) { hostkey_digest_type = dnskey_digest_type; free(hostkey_digest); /* Initialize host key parameters */ if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, &hostkey_digest, &hostkey_digest_len, hostkey)) { If we add a couple of debug calls to the current code you can see it verifies both fingerprint types (this machine has SHA1 and SHA256 RSA fingerprints): $ ./ssh -vvv -o verifyhostkeydns=ask -o hostkeyalgorithms=rsa-sha2-256 fw 2>&1 | grep -i dns debug3: verify_host_key_dns debug1: found 4 insecure fingerprints in DNS debug3: verify_host_key_dns: checking SSHFP type 4 fptype 1 debug3: verify_host_key_dns: checking SSHFP type 1 fptype 1 debug1: verify_host_key_dns: matched SSHFP type 1 fptype 1 debug3: verify_host_key_dns: checking SSHFP type 3 fptype 2 debug3: verify_host_key_dns: checking SSHFP type 1 fptype 2 debug1: verify_host_key_dns: matched SSHFP type 1 fptype 2 It'll return success if either validate, though, which is probably not ideal. It should probably ensure that all fingerprints match. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3302 [Bug 3302] Tracking bug for openssh-8.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
