New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for ECDSA and ED25519 SSHFP key algorithms #355

Closed
karlism opened this Issue Nov 7, 2016 · 6 comments

Comments

Projects
None yet
2 participants
@karlism

karlism commented Nov 7, 2016

Hello!

Seems that fmDNS lacks support for ECDSA (id 3) and ED25519 (id 4) SSHFP key algorithms, only RSA and DSA are supported, can you please add them?

Thanks!

@karlism

This comment has been minimized.

karlism commented Nov 7, 2016

And I think I've found one more issue regarding SSHFP DNS records - it's not possible to specify either it is SHA1 (id 1) or SHA256 (id 2) algorithm type, fmDNS always enters it as SHA1 (id 1).

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented Nov 7, 2016

Thanks for the report. The reason fmDNS supports SSHFP RRs as you've described is because that's the only information I've been able to find on BIND's support for the RR. See https://books.google.com/books?id=TZ1RpjhoHfsC&pg=PA546&lpg=PA546&dq=bind+sshfp&source=bl&ots=Xce8iagFeU&sig=8kFhX5hSe6I_zPlJUB9dR1dotbM&hl=en&sa=X&ved=0ahUKEwisuNfH_JbQAhXH8CYKHe-EA4E4ChDoAQghMAE#v=onepage&q=bind%20sshfp&f=false

Do you have a better resource I can reference for this RR?

@karlism

This comment has been minimized.

karlism commented Nov 8, 2016

Thanks for the prompt response!

If you run ssh-geygen -r on latest OpenSSH, the output is following:
$ ssh -V
OpenSSH_7.3, LibreSSL 2.4.2
$ ssh-keygen -r example
example IN SSHFP 1 1 bba0b56aff5613490e9577c4274884fc596cd82b
example IN SSHFP 1 2 d5e37a4985d799e6804f50811d68917a2e040c3a3c523ab41ed9d2e115bf5b23
example IN SSHFP 2 1 348f7fd7be400fa68c744d00a72dc7ed0b556822
example IN SSHFP 2 2 819ee6971d1312c153e9633c001fb65e12382e3d5bfd10d32a5dfe4cb7dd2723
example IN SSHFP 3 1 806d8baf8ff87e3c86fe0c0bfb51251557349509
example IN SSHFP 3 2 02f0be074a7bbaa3799215b69015db0c136453b451cd783434df4adf022db8b8
example IN SSHFP 4 1 cb7bd3f2edbf9d6f57b1627f3293b8831816be32
example IN SSHFP 4 2 b531c6804864dd29eb7e8a129c513d2b7dd9cc995767622159dc12093508491d

Please see this thread for more information about algorithms and their types:
http://unix.stackexchange.com/questions/121880/how-do-i-generate-sshfp-records

@karlism

This comment has been minimized.

karlism commented Nov 8, 2016

IANA SSHFP RR parameter page that is referenced in the book that you've pointed to, has also been updated, please see the following link:
http://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xhtml

@WillyXJ WillyXJ added this to the 3.0 release milestone Nov 8, 2016

WillyXJ added a commit that referenced this issue Nov 8, 2016

fmDNS - #355 - Added better SSHFP support
Added support for additional SSHFP algorithms and certificate types
@karlism

This comment has been minimized.

karlism commented Nov 9, 2016

Thanks!

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented Nov 30, 2016

This is now included in 3.0-alpha3 and later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment