Launchpad itself

SSHFP DNS record for ppa.launchpad.net

Bug #689199 reported by Jacob Appelbaum on 2010-12-12

This bug report is a duplicate of: Bug #238869: SSH host keys not verifiable. Edit Remove

264

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Triaged	Low	Unassigned
	Ubuntu	Invalid	Undecided	Unassigned

Bug Description

I have previously never used the PPA system and there appears to be no out of band method to verify the SSH fingerprint of the remote system.

The PPA uploading documentation page (https://help.launchpad.net/Packaging/PPA/Uploading) does not list '6b:03:de:98:33:25:23:18:a6:46:b3:47:22:cd:54:f2' for 'ppa.launchpad.net (91.189.90.217)' nor does there appear to be a SSHFP DNS record for my OpenSSH client to use as a verification method.

Is there some kind of Ubuntu host database that would give me a live query system for SSH or SSL/TLS fingerprints?

Tags:

Revision history for this message

Jacob Appelbaum (jacob-appelbaum) wrote on 2010-12-12:

Sorry to flag this as a security "vulnerability" - it's obviously not a vulnerability; it's more of a security related issue.

Revision history for this message

Kees Cook (kees) wrote on 2010-12-12:

Excellent point. Moving this to the Soyuz project, which is likely responsible for the PPA systems.

visibility:	private → public
Changed in ubuntu:
status:	New → Invalid
Changed in soyuz:
status:	New → Confirmed

Revision history for this message

Jacob Appelbaum (jacob-appelbaum) wrote on 2010-12-12:

If I were to contribute a list of SSHFP DNS records - where should I do that? Should I file them as bugs?

Revision history for this message

Jelmer Vernooij (jelmer) wrote on 2010-12-12:

As a file attached to this bug is probably best. Will it be a DNS zone file fragment?

On a related note, I wonder what the status of rfc4255 support in paramiko is as that's what dput (in some situations?) uses.

Revision history for this message

Robert Collins (lifeless) wrote on 2010-12-12: Re: [Bug 689199] Re: SSHFP DNS record for ppa.launchpad.net

Do we have a signed zone for launchpad.net? Thats necessary to do sshfp AIUI.

Revision history for this message

Jacob Appelbaum (jacob-appelbaum) wrote on 2010-12-12:

Is there a list of all Ubuntu SSH services? I'd be happy to scan some netblocks and produce the required SSHFP records for you guys.

I'm not clear on the paramiko status on SSHFP; perhaps someone can ask Robey?

DNSSEC is not required for SSHFP - it's merely a good idea if you want to seriously trust it.

Curtis Hovey (sinzui) on 2010-12-23

Changed in launchpad:
status:	Confirmed → Triaged

Curtis Hovey (sinzui) on 2010-12-31

Changed in launchpad:
importance:	Undecided → Low

Revision history for this message

Martin Pool (mbp) wrote on 2011-09-28:

We should do the same thing for bzr ssh access. (There might be a separate bug.)

A complementary approach to DNS entries is to put them in an Ubuntu package - that won't help everyone, but it does give a more strongly trusted path to the client machine. We could also put them on a web page.

This need not block on paramiko supporting it - it will help people using openssh today.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #238869 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.