Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 06 December 2011 15:27 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 900F421F8BDC for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 6 Dec 2011 07:27:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.705
X-Spam-Level:
X-Spam-Status: No, score=-98.705 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_63=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rc2ejSrUPCFp for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 6 Dec 2011 07:27:09 -0800 (PST)
Received: from mail.netbsd.org (ns.NetBSD.org [IPv6:2001:4f8:3:7::53]) by ietfa.amsl.com (Postfix) with ESMTP id 2493F21F8BDB for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 6 Dec 2011 07:27:06 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 9CEB114A191; Tue, 6 Dec 2011 15:27:01 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8037114A190 for <ietf-ssh@NetBSD.org>; Tue, 6 Dec 2011 15:26:56 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id psOck6Svmi-C for <ietf-ssh@NetBSD.org>; Tue, 6 Dec 2011 15:26:55 +0000 (UTC)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by mail.netbsd.org (Postfix) with ESMTP id 0634214A187 for <ietf-ssh@NetBSD.org>; Tue, 6 Dec 2011 15:26:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 6C9C9153C28; Tue, 6 Dec 2011 15:26:50 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1323185205; bh=M/YYQfEWCBYniY pdvT+IZe9VNEdHa3eTYwdBIlzahNQ=; b=lbCIMlR09d2Z2jDvHkqx5gVXN2tFuy U2ezIz3AbGwcsEDnA8KZLo/oOlY5nfwDtf6KYqCqZHRLOgAPzpi/drOmIHH/MH/I FJa9ZNbUOl+8b6iiZwg18UNm8z5Jb3EC7dmHffDeKWE3cKVZ0FAYJR1BdU36oLmt Q1yMIHmUnf0HPhFbDF9G7A2f0K2Nr5w7K+W/yka9PFafEjiWC+jEezcS4tqxUZzh GoBwCSyb2I2Uv+YY7bO8cGd+VlHxOeLGDErSA5jxCXEAEQX5hFXNJPjHC0dBajD0 5c59mcbqneJK15x0nXp5K+pzPVS2SHUTiaUFHvgiPX5eUEMq4aCTqOKQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 9DVFbYRQGwnI; Tue, 6 Dec 2011 15:26:45 +0000 (GMT)
Received: from [10.10.10.233] (natair.sics.se [193.10.67.36]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 9FB7E153C27; Tue, 6 Dec 2011 15:26:43 +0000 (GMT)
Message-ID: <4EDE3431.6050403@cs.tcd.ie>
Date: Tue, 06 Dec 2011 15:26:41 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: ietf-ssh@NetBSD.org, saag@ietf.org
CC: "openssh-unix-dev@mindrot.org" <openssh-unix-dev@mindrot.org>
Subject: Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
References: <4ECA6E4D.3030101@fifthhorseman.net> <98237.1322028405@eng-mail01.juniper.net> <4ECCADE5.30708@cs.tcd.ie>
In-Reply-To: <4ECCADE5.30708@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
FYI - IETF last call for this has just gone out. [1] Please comment on ietf@ietf.org if there are issues that need to be raised. Thanks, Stephen. [1] http://www.ietf.org/mail-archive/web/ietf-announce/current/msg09643.html On 11/23/2011 08:25 AM, Stephen Farrell wrote: > > Thanks Mark, > > Yes, I'm happy to AD sponsor. No one objected when I asked > before and it seems quite reasonable. > > Ondřej - I'll start an IETF LC since there only seem to be > typos to be fixed. > > Cheers, > S. > > On 11/23/2011 06:06 AM, Mark D. Baushke wrote: >> Hi Daniel, >> >> Daniel Kahn Gillmor<dkg@fifthhorseman.net> writes: >> >>> hi folks: >>> >>> it looks like ssh-keygen -r can't export SSHFP records for ECDSA keys: >>> >>> 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P '' >>> 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub >>> export_dns_rr: unsupported algorithm >>> 0 dkg@pip:/tmp/cdtemp.oiRYAS$ >>> >>> the first number in my prompt is the return code of the last command; >>> note that ssh-keygen -r fails to produce an SSHFP DNS RR, but it >>> returns 0. >>> >>> at the least, it should return non-zero on failure. >>> >>> >>> I note that the relevant RFC doesn't include an enumeration for ECDSA: >>> >>> https://tools.ietf.org/html/rfc4255#section-3.1.1 >>> >>> Could anyone on this list kick off the IETF process for allocating a new >>> ID in that registry for ECDSA? I'm not currently involved in the IETF's >>> Network Working Group so i don't really know the political landscape >>> there. >> >> I believe that the SSH development community will need to support this >> effort: >> >> http://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2-00 >> >> which specifies values for both the ECDSA algorithm and a SHA-256 >> fingerprint algorithm. >> >> RFC 4255 enumerates the RSA and DSS algorithms and the SHA-1 fingerprint >> type. >> >> draft-os-ietf-sshfp-ecdsa-sha2-00 authored by O. Sury has a typo in the >> draft suggesting that they update RFC 4225 which is wrong, but it seems >> to be a simple typo as the body of the draft referecnes RFC 4255. >> >> However, it does add ECDSA to the SSHFP RR types and SHA-256 to the >> fingerprint types. >> >> The draft expires on Dec 18, 2011. >> >> This draft was sent to saag@ietf.org and the author also wrote a patch >> for OpenSSH (portable) in >> >> https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/entry/ssh-sshfp-ecdsa.patch >> >> >> See the message thread here: >> >> http://www.ietf.org/mail-archive/web/saag/current/msg03326.html >> http://www.ietf.org/mail-archive/web/saag/current/msg03327.html >> >> Stephen Farrell<stephen.farrell@cs.tcd.ie> says that the author is >> asking the AD to sponsor the work. And Warren Kumari<warren@kumari.net> >> has added his support. >> >> This seems like something that should be raised on the >> ietf-ssh@NetBSD.org list with a CC to saag@ietf.org, so >> I have added these to lists to my response to this message. >> >> For the record, my vote is +1 for this draft. >> >> -- Mark >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >> > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- Re: ssh-keygen -r should support SSHFP records fo… Mark D. Baushke
- Re: [saag] ssh-keygen -r should support SSHFP rec… Stephen Farrell
- Re: [saag] ssh-keygen -r should support SSHFP rec… Stephen Farrell