Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)

To: "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
From: Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost>
Date: Wed, 23 Nov 2011 08:25:09 +0000


Thanks Mark,

Yes, I'm happy to AD sponsor. No one objected when I asked
before and it seems quite reasonable.

Ondřej - I'll start an IETF LC since there only seem to be
typos to be fixed.

Cheers,
S.

On 11/23/2011 06:06 AM, Mark D. Baushke wrote:

Hi Daniel,

Daniel Kahn Gillmor<dkg%fifthhorseman.net@localhost>  writes:

hi folks:

it looks like ssh-keygen -r can't export SSHFP records for ECDSA keys:

0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P ''
0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub
export_dns_rr: unsupported algorithm
0 dkg@pip:/tmp/cdtemp.oiRYAS$

the first number in my prompt is the return code of the last command;
note that ssh-keygen -r fails to produce an SSHFP DNS RR, but it returns 0.

at the least, it should return non-zero on failure.


I note that the relevant RFC doesn't include an enumeration for ECDSA:

  https://tools.ietf.org/html/rfc4255#section-3.1.1

Could anyone on this list kick off the IETF process for allocating a new
ID in that registry for ECDSA?  I'm not currently involved in the IETF's
Network Working Group so i don't really know the political landscape there.

I believe that the SSH development community will need to support this
effort:

http://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2-00

which specifies values for both the ECDSA algorithm and a SHA-256
fingerprint algorithm.

RFC 4255 enumerates the RSA and DSS algorithms and the SHA-1 fingerprint
type.

draft-os-ietf-sshfp-ecdsa-sha2-00 authored by O. Sury has a typo in the
draft suggesting that they update RFC 4225 which is wrong, but it seems
to be a simple typo as the body of the draft referecnes RFC 4255.

However, it does add ECDSA to the SSHFP RR types and SHA-256 to the
fingerprint types.

The draft expires on Dec 18, 2011.

This draft was sent to saag%ietf.org@localhost and the author also wrote a patch
for OpenSSH (portable) in

https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/entry/ssh-sshfp-ecdsa.patch

See the message thread here:

http://www.ietf.org/mail-archive/web/saag/current/msg03326.html
http://www.ietf.org/mail-archive/web/saag/current/msg03327.html

Stephen Farrell<stephen.farrell%cs.tcd.ie@localhost> says that the author is
asking the AD to sponsor the work. And Warren Kumari<warren%kumari.net@localhost>
has added his support.

This seems like something that should be raised on the
ietf-ssh%NetBSD.org@localhost list with a CC to saag%ietf.org@localhost, so
I have added these to lists to my response to this message.

For the record, my vote is +1 for this draft.

-- Mark
_______________________________________________
saag mailing list
saag%ietf.org@localhost
https://www.ietf.org/mailman/listinfo/saag

Follow-Ups:
- Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
  - From: Stephen Farrell

References:
- Re: ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
  - From: Mark D. Baushke

Prev by Date: Re: ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
Next by Date: Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
Previous by Thread: Re: ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
Next by Thread: Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
Indexes:

Home | Main Index | Thread Index | Old Index