| Summary: | security/openssh-portable: SSHFP/known_hosts issues when HPN is enabled (9.6.p1_1,1) | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Craig Leres <leres> |
| Component: | Individual Port(s) | Assignee: | Bryan Drewery <bdrewery> |
| Status: | New --- | ||
| Severity: | Affects Only Me | Flags: | bugzilla:
maintainer-feedback?
(bdrewery) |
| Priority: | --- | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
The HPN patchset for openssh-portable was updated with b3f86656fc67 however when enabled it causes issues with ssh. When a user specifies a destination host that is not a fully qualified domain name (relying on the resolver search path to complete the hostname) ssh is unable to find SSHFP records (even when present) or known_host entries. For example, given a resolv.conf with: search freebsd.org Using the FQDN works as before: ice 146 % /usr/local/bin/ssh freefall.freebsd.org hostname freefall.freebsd.org But using just the hostname does not: ice 147 % /usr/local/bin/ssh freefall hostname The authenticity of host 'freefall (2610:1c1:1:6074::16:84)' can't be established. ED25519 key fingerprint is SHA256:oJ7FKX5UTBWP4CncsrsaIb1JbfbtqzKOMYni3oVLAo0. No matching host key fingerprint found in DNS. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? In this case tcpdump shows that "freefall.freebsd.org" is used for the A and AAAA DNS lookups but "freefall." is queried when the SSHFP lookup happens. Rebuilding with HPN disable solves this.