Mailing List Archive: OpenSSH: Dev

feature request: modify getrrsetbyname() to use libunbound

Index | Next | Previous | View Threaded

lfilipoz at emyr

May 8, 2012, 9:20 PM

Post #1 of 15 (761 views)
Permalink

feature request: modify getrrsetbyname() to use libunbound

Dear OpenSSH Developers,

I'm a member of the Debian System Administration (DSA) team. [1] We
manage the Debian Projects computing infrastructure.

Recently, DSA had the opportunity to address a member's request that we
begin using certificates to authenticate Debian Project machines to ssh
clients. We provided a lengthy reply, the summary of which is "we
publish SSHFP records; use VerifyHostKeyDNS; set up a local caching
resolver to avoid MITM attacks".

That said, it seems rather cumbersome to have users install a local
caching resolver in order to secure the last mile of DNS queries (who
trusts their ISP, after all), so we postulated whether it would be
possible to modify openssh such that the ssh client could perform the
queries itself.

It turns out that this is quite straightforward to implement (see
preliminary patch, attached), entirely because you have have well
encapsulated the DNS query code.

Since we are quite concerned that our project members (let alone our
general user population) aren't managing their known_hosts in a secure
or timely manner, we are keen on using SSHFP records .. but only if the
DNSSEC last mile issue can be addressed in a relatively easy way for
users.

We propose that openssh be modified as follows:

(1) introduce a new ssh_config directive: UnboundConfigurationFile

(2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
set, then the unbound resolver is used; if not, then libc

(3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf

In this way, the standard mode of operation for ssh remains unchanged by
default. Users who would like to use SSHFP records in a secure manner
would set the configuration directive.

Please find attached a preliminary patch that modifies getrrsetbyname()
to use libunbound rather than libc.

We have proposed [2] this modification to the Debian openssh package
maintainers. Knowing that they (and we, too, frankly) would prefer the
modification to be adopted by upstream, I've subscribed to the
openssh-unix-dev list to begin the discussion (I've carbon copied my DSA
colleagues and the openssh package maintainers so that they are aware).

If there is interest in this proposal, I would be pleased to work with
you to complete the patch. (In the meantime, I'm using openssh patched
with libunbound on my macbook since OS/X's libc doesn't support DNSSEC.)

Thanks for your consideration,

Luca Filipozzi

[1] http://www.debian.org/intro/organization
[2] http://lists.debian.org/debian-ssh/2012/05/msg00004.html

--
Luca Filipozzi
Member, Debian System Administration Team

Attachments:

openssh.diff (2.59 KB)

signature.asc (0.19 KB)

peter at stuge

May 8, 2012, 11:08 PM

Post #2 of 15 (730 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

Luca Filipozzi wrote:
> We propose that openssh be modified as follows:
>
> (1) introduce a new ssh_config directive: UnboundConfigurationFile

I don't think any SSH configuration directives should be tied to a
specific implementation of anything outside the SSH domain.

> (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf

What needs to be set in that config? I think adding DNSSEC-related
directives to ssh_config and perhaps also sshd_config would be more
in line with the rest of the configuration directives.

Hopefully configuration can be given also programatically to
libunbound, so that OpenSSH could use the same configuration
directives regardless of which resolver library is used.

//Peter

dtucker at zip

May 8, 2012, 11:41 PM

Post #3 of 15 (731 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, May 09, 2012 at 04:20:33AM +0000, Luca Filipozzi wrote:
[...]
> We propose that openssh be modified as follows:
>
> (1) introduce a new ssh_config directive: UnboundConfigurationFile
>
> (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
> set, then the unbound resolver is used; if not, then libc
>
> (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf

OK, here's my opinion:
- I am OK with adding support for libunbound (we already have
compile-time support for an alternate resolver, ldns), however
- I am oposed to a new configuration file option because
Portable-specific options increase the maintenance burden in both
directions.

But first: why doesn't the system resolver support dnssec? Wouldn't the
effort be better spent fixing that instead?

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

lfilipoz at emyr

May 9, 2012, 12:00 AM

Post #4 of 15 (733 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, May 09, 2012 at 08:08:47AM +0200, Peter Stuge wrote:
> Luca Filipozzi wrote:
> > We propose that openssh be modified as follows:
> >
> > (1) introduce a new ssh_config directive: UnboundConfigurationFile
>
> I don't think any SSH configuration directives should be tied to a
> specific implementation of anything outside the SSH domain.

Fair enough. I'm more interested in achieving good DNSSEC behaviour
than I am in introducing unbound-specific configuration directives.

> > (3) provide a default unbound configuration in /etc/ssh/ssh_unbound_conf
>
> What needs to be set in that config? I think adding DNSSEC-related
> directives to ssh_config and perhaps also sshd_config would be more
> in line with the rest of the configuration directives.

The patch that I attached uses ub_ctx_config(<filename>), which laods
an unbound-specific configuration. It was an attempt to limit the
number of ssh_config directives that might be needed.

I expect that we will need at least two directives:

(1) something that specifies the root anchor to prime DNSSEC

DNSSECRootAnchorFile <filename>

and/or

DNSSECRootAnchor <string>

(2) something that sets edns0 buffer size to deal with broken networks

ExtendedDNSBufferSize <string>

Both of these are DNSSEC-general rather than unbound-specific.

> Hopefully configuration can be given also programatically to
> libunbound, so that OpenSSH could use the same configuration
> directives regardless of which resolver library is used.

Absolutely.

We can use ub_ctx_add_ta(<string>) or ub_ctx_add_file(<filename>) for
the first one.

We can use ub_ctx_set_option("edns_buffer_size", <string>) for the
second.

I'm happy to move in this direction.

--
Luca Filipozzi
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

ondrej at caletka

May 9, 2012, 12:50 AM

Post #5 of 15 (738 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

Dne 9.5.2012 06:20, Luca Filipozzi napsal(a):
> That said, it seems rather cumbersome to have users install a local
> caching resolver in order to secure the last mile of DNS queries (who
> trusts their ISP, after all), so we postulated whether it would be
> possible to modify openssh such that the ssh client could perform the
> queries itself.

Wouldn't it be done by just adding trust anchor to current ldns
resolving code? It looks like there is already some kind of autonomous
validation attempt in getrrsetbyname-ldns.c:

/* Check for authenticated data */
if (ldns_pkt_ad(pkt)) {
rrset->rri_flags |= RRSET_VALIDATED;
} else { /* AD is not set, try autonomous validation */
ldns_rr_list * trusted_keys = ldns_rr_list_new();

Regards,
Ondřej Caletka
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

lfilipoz at emyr

May 9, 2012, 1:49 AM

Post #6 of 15 (734 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, May 09, 2012 at 04:41:32PM +1000, Darren Tucker wrote:
> OK, here's my opinion:
> - I am OK with adding support for libunbound (we already have
> compile-time support for an alternate resolver, ldns), however

*blush* Should have looked at 6.0 release notes. I'm going to give 6.0
a try now.

> - I am oposed to a new configuration file option because
> Portable-specific options increase the maintenance burden in both
> directions.

See other response but may be moot given 6.0 + ldns.

> But first: why doesn't the system resolver support dnssec? Wouldn't the
> effort be better spent fixing that instead?

Certainly. However, there can be a lengthy delay in accomplishing this
for certain operating systems. Again, may be moot given 6.0 + ldns.

--
Luca Filipozzi
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

lfilipoz at emyr

May 9, 2012, 2:30 AM

Post #7 of 15 (723 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, May 09, 2012 at 09:50:22AM +0200, Ond??ej Caletka wrote:
> Dne 9.5.2012 06:20, Luca Filipozzi napsal(a):
> > That said, it seems rather cumbersome to have users install a local
> > caching resolver in order to secure the last mile of DNS queries (who
> > trusts their ISP, after all), so we postulated whether it would be
> > possible to modify openssh such that the ssh client could perform the
> > queries itself.
>
> Wouldn't it be done by just adding trust anchor to current ldns
> resolving code?

It's sufficient to add "anchor /path/to/root.key" to /etc/resolv.conf.

Thanks very much for adding ldns support to 6.0. I don't think we need
both libunbound (which links against libldns) and libldns.

--
Luca Filipozzi
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

ondrej at caletka

May 9, 2012, 3:44 AM

Post #8 of 15 (724 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

Dne 9.5.2012 11:30, Luca Filipozzi napsal(a):
>
> It's sufficient to add "anchor /path/to/root.key" to /etc/resolv.conf.
Wow, thanks for pointing it out, I didn't know about this ldns feature.
Maybe there should be some note in the documentation.

There is only one pitfall. The autonomous validation is attempted only
if the DNS response does not contain the AD flag. Therefore if someone
changes the DNS response on the wire and leaves the AD flag set,
spurious data are trusted without further validating. This is not
secure, as link between computer and DNS resolver cannot be generally
trusted.

Regards,
Ondřej Caletka
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

rstory at tislabs

May 9, 2012, 5:50 AM

Post #9 of 15 (723 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, 9 May 2012 16:41:32 +1000 Darren wrote:
DT> On Wed, May 09, 2012 at 04:20:33AM +0000, Luca Filipozzi wrote:
DT> [...]
DT> > We propose that openssh be modified as follows:
DT> >
DT> > (1) introduce a new ssh_config directive: UnboundConfigurationFile
DT> >
DT> > (2) modify getrrsetbyname() such that, if UnboundConfigurationFile is
DT> > set, then the unbound resolver is used; if not, then libc
DT> >
DT> > (3) provide a default unbound configuration
DT> > in /etc/ssh/ssh_unbound_conf
DT>
DT> OK, here's my opinion:
DT> - I am OK with adding support for libunbound (we already have
DT> compile-time support for an alternate resolver, ldns), however

There is also a patch that I submitted back in 2009 to use libval from
DNSSEC-Tools to do local validation. Any chance of getting that accepted?
The last time I updated it was for 5.8, but I'd be glad to update it for
6.0 if there's a chance it will be accepted.

https://bugzilla.mindrot.org/show_bug.cgi?id=1672

We also added a new option, AutoAnswerValidatedKeys, to (optionally)
automatically accept new keys which match a DNSSEC validated sshfp record.
And we always do the validation in the library, and do not ever trust the
AD bit from remote resolvers.

Robert

--
Senior Software Engineer
SPARTA, Inc., a Parsons Company

Attachments:

signature.asc (0.19 KB)

rstory at tislabs

May 9, 2012, 5:59 AM

Post #10 of 15 (726 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, 09 May 2012 12:44:13 +0200 Ondřej wrote:
OC> There is only one pitfall. The autonomous validation is attempted only
OC> if the DNS response does not contain the AD flag. Therefore if someone
OC> changes the DNS response on the wire and leaves the AD flag set,
OC> spurious data are trusted without further validating. This is not
OC> secure, as link between computer and DNS resolver cannot be generally
OC> trusted.

Yes, which is why we prefer our DNSSEC-Tools libval patch, which always
does local validation and does not depend on the AD flag.

https://bugzilla.mindrot.org/show_bug.cgi?id=1672

Robert

--
Senior Software Engineer
SPARTA, Inc., a Parsons Company

Attachments:

signature.asc (0.19 KB)

lfilipoz at emyr

May 9, 2012, 11:56 AM

Post #11 of 15 (729 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, May 09, 2012 at 08:59:53AM -0400, Robert Story wrote:
> On Wed, 09 May 2012 12:44:13 +0200 Ond??ej wrote:
> > There is only one pitfall. The autonomous validation is attempted
> > only if the DNS response does not contain the AD flag. Therefore if
> > someone changes the DNS response on the wire and leaves the AD flag
> > set, spurious data are trusted without further validating.

Ondrej: Thanks for pointing this out. (I had to dig through ldns source
to find the 'anchor' directive -- agree poorly documented feature.)

> > This is not secure, as link between computer and DNS resolver
> > cannot be generally trusted.

This is the whole point of the unbound patch and our request. I don't
want to trust the AD flag from an upstream resolver (like my ISP). But I
also don't want to tell users to install a local resolver.

> Yes, which is why we prefer our DNSSEC-Tools libval patch, which always
> does local validation and does not depend on the AD flag.
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=1672

Robert, this is a very well written rationale for local DNSSEC
validation. I agree with you: it is very important to have openssh
perform anchored DNSSEC validations and not trust the AD flag.

There seem to be three possible approaches (please correct me if I'm
wrong). If the library-specific implementation is encapsulate in
getrrsetbyname(), we could support all three.

(1) modify the current ldns version of getrrsetbyname() to not trust the
AD flag and to perform anchored validations (possibly optionally based on
whether StrictDnssecChecking is set)

(2) make use of Robert's DNSSEC-Tools-based implementation; could the
DNSSEC-Tools-specific implementation be moved from verify_host_key_dns()
to getrrsetbyname()?

(3) make use of a libunbound-based implementation (which might not be
able to support StrictDnssecChecking=no); could be redundant given (1)
but allows for significant configuration... though one could argue "just
install unbound" if one needs that much tweaking

Is it too ugly to have the validation-enforcing implementations of
getrrsetbyname() function be aware of options->strict_dnssec_checking?

If the underlying tool makes use of a specific supplementary file
(/etc/resolv.conf or /etc/ssh/ssh_unbound_config), then we can allow for
external configuration without introducing additional configuration
directives in ssh_config).

I don't use OpenBSD but, in looking through it's source, it seems that
nothing in the getrrsetbyname() -> res_query() -> res_mkquery() chain
enforces anchored DNSSEC validation. In other words, OpenBSD also
trusts the AD flag (please correct me if I'm mistaken).

I hope this means that openssh and openssh-portable would not need to be
too different as anchored DNSSEC validation might be of interest to the
OpenBSD community, also.

--
Luca Filipozzi
Member, Debian System Administration Team
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

rstory at tislabs

May 9, 2012, 3:11 PM

Post #12 of 15 (725 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, 9 May 2012 18:56:08 +0000 Luca wrote:
LF> > Yes, which is why we prefer our DNSSEC-Tools libval patch, which
LF> > always does local validation and does not depend on the AD flag.
LF> >
LF> > https://bugzilla.mindrot.org/show_bug.cgi?id=1672

I just updated the patch for 6.0p1, in case anyone is interested in trying
it.

LF> (2) make use of Robert's DNSSEC-Tools-based implementation; could the
LF> DNSSEC-Tools-specific implementation be moved from verify_host_key_dns()
LF> to getrrsetbyname()?

We wanted to have the lowest impact possible, and only do DNSSEC for
verifying sshfp records. If upstream is willing to accept optional
validation of all records, we could do that too.

Robert

--
Senior Software Engineer
SPARTA, Inc., a Parsons Company

[signature.asc application/pgp-signature (198 bytes)]

Attachments:

signature.asc (0.19 KB)

lfilipoz at emyr

May 10, 2012, 12:35 PM

Post #13 of 15 (722 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Wed, May 09, 2012 at 05:41:37PM -0400, Robert Story wrote:
> On Wed, 9 May 2012 18:56:08 +0000 Luca wrote:
> LF> > Yes, which is why we prefer our DNSSEC-Tools libval patch, which
> LF> > always does local validation and does not depend on the AD flag.
> LF> >
> LF> > https://bugzilla.mindrot.org/show_bug.cgi?id=1672
>
> I just updated the patch for 6.0p1, in case anyone is interested in trying
> it.

Thanks very much.

> LF> (2) make use of Robert's DNSSEC-Tools-based implementation; could the
> LF> DNSSEC-Tools-specific implementation be moved from verify_host_key_dns()
> LF> to getrrsetbyname()?
>
> We wanted to have the lowest impact possible, and only do DNSSEC for
> verifying sshfp records. If upstream is willing to accept optional
> validation of all records, we could do that too.

I'm in favour of encapsulating the libary-of-choice related code changes
into getrrsetbyname(), leaving only the OpenSSH configuration related
code changes in common openssh/openssh-portable code.

But before we invest more time in this effort, it would be helpful to
hear upstream's opinion regarding our request for anchored DNSSEC
validation to be built into openssh.

We don't want to trust on an upstream resolver's AD bit and we don't
want to require that users install a local resolver. Do they concur?

--
Luca Filipozzi
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

lfilipoz at emyr

May 17, 2012, 5:05 PM

Post #14 of 15 (674 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

On Thu, May 10, 2012 at 07:35:23PM +0000, Luca Filipozzi wrote:
> But before we invest more time in this effort, it would be helpful to
> hear upstream's opinion regarding our request for anchored DNSSEC
> validation to be built into openssh.
>
> We don't want to trust on an upstream resolver's AD bit and we don't
> want to require that users install a local resolver. Do they concur?

Alternately, would it be helpful to take Robert's suggestion of a
StrictDnssecChecking configuration directive and apply it to the ldns
implementation in 6.0p1? This would avoid introducing new dependencies
(unbound, dnssec-tools) while achieving the suggested functionality.

--
Luca Filipozzi
Member, Debian System Administration Team
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

May 18, 2012, 10:09 AM

Post #15 of 15 (657 views)
Permalink

Re: feature request: modify getrrsetbyname() to use libunbound [In reply to]

Luca Filipozzi wrote:
> > But before we invest more time in this effort, it would be helpful to
> > hear upstream's opinion regarding our request for anchored DNSSEC
> > validation to be built into openssh.
> >
> > We don't want to trust on an upstream resolver's AD bit and we don't
> > want to require that users install a local resolver. Do they concur?
>
> Alternately, would it be helpful to take Robert's suggestion of a
> StrictDnssecChecking configuration directive and apply it to the ldns
> implementation in 6.0p1? This would avoid introducing new dependencies
> (unbound, dnssec-tools) while achieving the suggested functionality.

I think this sounds like a good idea. I guess the patch will also be
quite small? Remember to also look at what is going on upstream, ie.
in OpenSSH within OpenBSD.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads