Page MenuHomeSolus

Enable DNSSEC support with ldns
ClosedPublic

Authored by silke on Sep 16 2018, 10:07 AM.

Details

Summary

Building OpenSSH with LDNS allows OpenSSH to securely verify fingerprints in
SSHFP records. VerifyHostKeyDNS yes will then implicitly trust keys that match
a secure fingerprint from DNS.

Test Plan

Use OpenSSH server and client.
Verify that DNSSEC secure keys are trusted.

Diff Detail

Repository
R2256 openssh
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

silke created this revision.Sep 16 2018, 10:07 AM
silke requested review of this revision.Sep 16 2018, 10:07 AM
JoshStrobl requested changes to this revision.Sep 22 2018, 9:07 AM
JoshStrobl added a subscriber: JoshStrobl.

Please recompile this against our updated images, referenced here, as libresolv should not be removed.

This revision now requires changes to proceed.Sep 22 2018, 9:07 AM
silke updated this revision to Diff 9624.Sep 22 2018, 1:46 PM

Add libresolv back to abi_used_libs

silke added a comment.Sep 22 2018, 1:47 PM

@JoshStrobl I got the same result when building against the updated images. I have added it back manually.

DataDrake accepted this revision.Oct 18 2018, 12:42 AM
DataDrake added a subscriber: DataDrake.

LGTM. Thanks!

DataDrake requested changes to this revision.Oct 18 2018, 2:16 AM

Still not right.

abi_used_libs:

-libresolv.so.2
This revision now requires changes to proceed.Oct 18 2018, 2:16 AM
silke added a comment.EditedOct 22 2018, 11:54 AM

@DataDrake, @JoshStrobl: it seems to me that libresolv is removed because ldns is used for resolving instead.

Edit: /usr/bin/ssh doesn't require libresolv.so.2 as a shared library when built against ldns, which is why it isn't included automatically. readelf -d output:

0x0000000000000001 (NEEDED)             Shared library: [libcrypto.so.1.0.0]
0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
0x0000000000000001 (NEEDED)             Shared library: [libldns.so.2]
0x0000000000000001 (NEEDED)             Shared library: [libz.so.1]
0x0000000000000001 (NEEDED)             Shared library: [libgssapi_krb5.so.2]
0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
In D3846#65786, @silke wrote:

Edit: /usr/bin/ssh doesn't require libresolv.so.2 as a shared library when built against ldns, which is why it isn't included automatically. readelf -d output:

Then libresolv.so.2 shouldn't be in abi_used_libs. It's not a file to manually edit, it's to identify differences from the build.

On a semi-related note, readelf -d is unreliable for resolving linked libraries. ldd will give you far superior results.

silke updated this revision to Diff 10132.Oct 22 2018, 3:13 PM

Undo: Add libresolv back to abi_used_libs

silke added a comment.Oct 22 2018, 3:21 PM
In D3846#65786, @silke wrote:

Edit: /usr/bin/ssh doesn't require libresolv.so.2 as a shared library when built against ldns, which is why it isn't included automatically. readelf -d output:

Then libresolv.so.2 shouldn't be in abi_used_libs. It's not a file to manually edit, it's to identify differences from the build.

Ack, misread the feedback. Undid the change.

On a semi-related note, readelf -d is unreliable for resolving linked libraries. ldd will give you far superior results.

Agreed. I used readelf -d because that's what YPKG uses (I believe). ldd pretty much shows the same thing:

	linux-vdso.so.1 (0x00007ffd631fa000)
	libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f1c51bba000)
	libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f1c51bb5000)
	libldns.so.2 => /usr/lib/libldns.so.2 (0x00007f1c51b5a000)
	libz.so.1 => /usr/lib/libz.so.1 (0x00007f1c51b42000)
	libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007f1c51af7000)
	libc.so.6 => /usr/lib/libc.so.6 (0x00007f1c51910000)
	/usr/lib64/ld-linux-x86-64.so.2 (0x00007f1c520ed000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007f1c5183a000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007f1c51808000)
	libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007f1c51803000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007f1c517f7000)
	libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f1c517dc000)
	libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f1c517bb000)
DataDrake accepted this revision.Nov 20 2018, 3:05 PM

LGTM. Thanks!

DataDrake requested changes to this revision.Nov 20 2018, 3:12 PM

Needs a rebase.

This revision now requires changes to proceed.Nov 20 2018, 3:12 PM
DataDrake accepted this revision.Nov 20 2018, 3:37 PM

LGTM. Thanks!

This revision was not accepted when it landed; it landed in state Needs Review.Nov 20 2018, 3:39 PM
Closed by commit R2256:41f2ac72229b: Enable DNSSEC support with ldns (authored by silke, committed by DataDrake). · Explain Why
This revision was automatically updated to reflect the committed changes.