2020-09-29 13:42:04 |
Daniel von Obernitz |
bug |
|
|
added bug |
2020-10-01 14:17:45 |
Dan Streetman |
description |
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-resolved responses. one thing this will prevent working is ssh/sftp VerifyHostKeyDNS
[test case]
TBD
[regression potential]
TBD
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in bionic or earlier.
this was added upstream in commit a742f9828ea which was included in v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
|
2020-10-01 14:17:51 |
Dan Streetman |
nominated for series |
|
Ubuntu Focal |
|
2020-10-01 14:17:51 |
Dan Streetman |
bug task added |
|
systemd (Ubuntu Focal) |
|
2020-10-01 14:17:56 |
Dan Streetman |
systemd (Ubuntu): status |
New |
Fix Released |
|
2020-10-01 14:24:54 |
Dan Streetman |
description |
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-resolved responses. one thing this will prevent working is ssh/sftp VerifyHostKeyDNS
[test case]
TBD
[regression potential]
TBD
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in bionic or earlier.
this was added upstream in commit a742f9828ea which was included in v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-resolved responses. one thing this will prevent working is ssh/sftp VerifyHostKeyDNS
[test case]
TBD
[regression potential]
regressions would likely involve DNS lookup failures, probably if DNSSEC is enabled but possibly even without, and likely when the application requesting the dns lookup processes the response AD.
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in bionic or earlier.
this was added upstream in commit a742f9828ea which was included in v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
|
2020-10-01 14:24:59 |
Dan Streetman |
systemd (Ubuntu Focal): assignee |
|
Dan Streetman (ddstreet) |
|
2020-10-01 14:25:01 |
Dan Streetman |
systemd (Ubuntu Focal): importance |
Undecided |
Medium |
|
2020-10-01 14:25:03 |
Dan Streetman |
systemd (Ubuntu Focal): status |
New |
In Progress |
|
2020-10-01 14:35:25 |
Dan Streetman |
description |
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-resolved responses. one thing this will prevent working is ssh/sftp VerifyHostKeyDNS
[test case]
TBD
[regression potential]
regressions would likely involve DNS lookup failures, probably if DNSSEC is enabled but possibly even without, and likely when the application requesting the dns lookup processes the response AD.
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in bionic or earlier.
this was added upstream in commit a742f9828ea which was included in v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-resolved responses. one thing this will prevent working is ssh VerifyHostKeyDNS
[test case]
setup a target system to ssh into, and create a SSHFP DNS record for its public key. on a different source system, setup dns to enable DNSSEC, and attempt to ssh to the target system using the VerifyHostKeyDNS=yes option.
setup of the SSHFP is out of scope for this bug, but e.g.:
https://en.wikipedia.org/wiki/SSHFP_record
https://tools.ietf.org/html/rfc4255
[regression potential]
regressions would likely involve DNS lookup failures, probably if DNSSEC is enabled but possibly even without, and likely when the application requesting the dns lookup processes the response AD.
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in bionic or earlier.
this was added upstream in commit a742f9828ea which was included in v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
|
2020-10-15 13:02:55 |
Dan Streetman |
description |
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-resolved responses. one thing this will prevent working is ssh VerifyHostKeyDNS
[test case]
setup a target system to ssh into, and create a SSHFP DNS record for its public key. on a different source system, setup dns to enable DNSSEC, and attempt to ssh to the target system using the VerifyHostKeyDNS=yes option.
setup of the SSHFP is out of scope for this bug, but e.g.:
https://en.wikipedia.org/wiki/SSHFP_record
https://tools.ietf.org/html/rfc4255
[regression potential]
regressions would likely involve DNS lookup failures, probably if DNSSEC is enabled but possibly even without, and likely when the application requesting the dns lookup processes the response AD.
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in bionic or earlier.
this was added upstream in commit a742f9828ea which was included in v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-resolved responses. one thing this will prevent working is ssh VerifyHostKeyDNS
[test case]
see https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1898590/comments/7
[regression potential]
regressions would likely involve DNS lookup failures, probably if DNSSEC is enabled but possibly even without, and likely when the application requesting the dns lookup processes the response AD.
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in bionic or earlier.
this was added upstream in commit a742f9828ea which was included in v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel |
|
2020-10-27 17:17:09 |
Brian Murray |
systemd (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2020-10-27 17:17:11 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-10-27 17:17:13 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-10-27 17:17:18 |
Brian Murray |
tags |
|
verification-needed verification-needed-focal |
|
2020-10-28 08:44:44 |
Daniel von Obernitz |
tags |
verification-needed verification-needed-focal |
verification-done-focal verification-needed |
|
2020-11-03 23:36:46 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-11-03 23:38:39 |
Launchpad Janitor |
systemd (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|