Unable to Use SSHFP Records to Verify SSH Host Keys

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH

7.22k stars 742 forks source link

Unable to Use SSHFP Records to Verify SSH Host Keys #1841

Open ghost opened 2 years ago

ghost commented 2 years ago

Troubleshooting steps https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps

Terminal issue? please go through wiki https://github.com/PowerShell/Win32-OpenSSH/wiki/TTY-PTY-support-in-Windows-OpenSSH

Please answer the following

"OpenSSH for Windows" version 8.1.0.1

Server OperatingSystem Debian GNU/Linux 11 (bullseye) x86_64

Client OperatingSystem Windows 10 Education

What is failing Unable to use SSHFP Records to Verify SSH Host Keys.

Expected output Matching host key fingerprint found in DNS.

Which is what I get from OpenSSH client inside Ubuntu WSL.

Actual output

debug3: verify_host_key_dns
getrrsetbyname is not supported
DNS lookup error: unknown error
No matching host key fingerprint found in DNS.

bagajjal commented 2 years ago

It's a DNS lookup error which means target can't be found

ghost commented 2 years ago

It's a DNS lookup error which means target can't be found

The debug log specifically said getrrsetbyname is not supported in this Windows build of OpenSSH, thus it unable to verify SSHFP record.

bagajjal commented 2 years ago

Yes, getrrsetbyname is not supported in win32 openssh. We don't have any plans to implement this in future.

RouL commented 2 years ago

I know this is an old issue and reviving the dead gives bad mojo, but since it's not closed and this is still an issue in current Win32 OpenSSH:

Yes, getrrsetbyname is not supported in win32 openssh. We don't have any plans to implement this in future.

Could you please at least elaborate why it won't be implemented? SSHFP is around for quiet a while already and it would be really nice to actually be able to also use it from windows. I mean it basically works on all the other operating systems. Please be nice to people who are stuck on Windows. :)

winterheart commented 1 year ago

getrrsetbyname is BSD function and unavailable outside BSD systems. So even on Linux it cannot be used for DNSSEC/SSHFP validation. On portable openssh builds DNSSEC validation can be achieved only if client built with LDNS library (https://www.nlnetlabs.nl/projects/ldns/) support (like ./configure --with-ldns), so main blocker is porting LDNS library into Windows and statically build it into ssh client.

WobwobRt commented 1 month ago

Had some major issues getting this to work. Eventually managed to make it work in Linux by using systemd-resolved, only to find out Windows doesn't support this feature 😒