[Bug 3781] New: IPv6 inconsistency causes TOFU

Wed, 29 Jan 2025 03:08:01 -0800 

https://bugzilla.mindrot.org/show_bug.cgi?id=3781

            Bug ID: 3781
           Summary: IPv6 inconsistency causes TOFU
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: All
                OS: Other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-b...@mindrot.org
          Reporter: sshbugs.to.dav...@spamgourmet.com

I have anonymised potentially identifiable data in my commands and
outputs. I have been allocated a /64 IPv6 range, the fourth group of
which is 0. If I replace the IPv6 host pattern in known_hosts with
xxxx:yyyy:zzzz:*, the certificate works, but would also work for
networks outside my allocated range. If I change it to
xxxx:yyyy:zzzz::* it also works for this particular address, but fails
for some addresses that are generated dynamically. The only solution I
can see is to use two patterns for the same range. This breaks the
principles of both least astonishment and DRY. Since, as demonstrated
by the second test, ssh converts IPv6 addresses from the command line,
would it be possible to carry out the same conversion on addresses from
known_hosts? Perhaps CIDR would do the job. If not, please could this
behaviour and the need for two ranges (or a better workaround) be
documented somewhere?

C:\Users\Administrator>c:\cwrsync_6.3.0_x64_free\bin\ssh
user@xxxx:yyyy:zzzz::f3
The authenticity of host 'xxxx:yyyy:zzzz::f3 (xxxx:yyyy:zzzz::f3)'
can't be established.
ED25519 key fingerprint is
SHA256:qwerqwerqwerqwerqwerqwerqwerqwerqwerqwerqwe.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.

C:\Users\Administrator>c:\cwrsync_6.3.0_x64_free\bin\ssh
user@xxxx:yyyy:zzzz:0::f3
The authenticity of host 'xxxx:yyyy:zzzz::f3 (xxxx:yyyy:zzzz::f3)'
can't be established.
ED25519 key fingerprint is
SHA256:qwerqwerqwerqwerqwerqwerqwerqwerqwerqwerqwe.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.

C:\Users\Administrator>cat \cwrsync_6.3.0_x64_free\known_hosts
@cert-authority
*.lan.xxxxxxxxxxxxxx,192.168.51.*,192.168.1.*,192.168.13.*,xxxx:yyyy:zzzz:0:*
ssh-ed25519
asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf
host_ca.pub

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to