Web lists-archives.com

SSHFP Record mismatch





After long time without updating them I decided to refresh my SSH and DNS use of SSHFP records which I succsefully used in the past long time ago.

So I configured my ssh_config to fetch host keys from DNS SSHFP records and I generated the SSHFP records using ssh-keygen -r (about 8 records per host using openssh version 7) and uploaded to the DNS:

$ ssh-keygen -r wigan.l3jane.net
wigan.l3jane.net IN SSHFP 1 1 4ea16c946b78c407ed62733bb3ec9d3f90b05ddf
wigan.l3jane.net IN SSHFP 1 2 5c39b2e106dea35232b0f8cd5e55b2f9391058e81c2247bc123f7960031209e0
wigan.l3jane.net IN SSHFP 2 1 76c7ca61d7364afd515470ac35f7b111b2b91de2
wigan.l3jane.net IN SSHFP 2 2 7effb058b4922a079131f1daa596a3288a7f73606fa4d388e0efa8f583f6e6e9
wigan.l3jane.net IN SSHFP 3 1 b9f56d258edf02c05eefb57f757ce517128cc32d
wigan.l3jane.net IN SSHFP 3 2 c6439507e4fc6de0e9d0381efe4851c1696927c938a61ffd715752f3cd87d035
wigan.l3jane.net IN SSHFP 4 1 6067c78156c5c12829069975caca5fbf4821b1a7
wigan.l3jane.net IN SSHFP 4 2 a76720d1b8f254e158f8b4c1193040c2ca10383aa9851d0fea3935ca7bdacdcd

; <<>> DiG 9.10.3-P4-Ubuntu <<>> wigan.l3jane.net sshfp +noall +answer
;; global options: +cmd
wigan.l3jane.net.    3600    IN    SSHFP    4 1 6067C78156C5C12829069975CACA5FBF4821B1A7
wigan.l3jane.net.    3600    IN    SSHFP    3 2 C6439507E4FC6DE0E9D0381EFE4851C1696927C938A61FFD715752F3 CD87D035
wigan.l3jane.net.    3600    IN    SSHFP    4 2 A76720D1B8F254E158F8B4C1193040C2CA10383AA9851D0FEA3935CA 7BDACDCD
wigan.l3jane.net.    3600    IN    SSHFP    2 1 76C7CA61D7364AFD515470AC35F7B111B2B91DE2
wigan.l3jane.net.    3600    IN    SSHFP    1 2 5C39B2E106DEA35232B0F8CD5E55B2F9391058E81C2247BC123F7960 031209E0
wigan.l3jane.net.    3600    IN    SSHFP    3 1 B9F56D258EDF02C05EEFB57F757CE517128CC32D
wigan.l3jane.net.    3600    IN    SSHFP    2 2 7EFFB058B4922A079131F1DAA596A3288A7F73606FA4D388E0EFA8F5 83F6E6E9
wigan.l3jane.net.    3600    IN    SSHFP    1 1 4EA16C946B78C407ED62733BB3EC9D3F90B05DDF


However when I try to ssh to the hosts using VerifyHostKeyDNS yes, ssh always warn me that the keys don't match and to contact administrator to update SSHFP records:

$ ssh wigan.l3jane.net
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:+I0aL8rLHidzOoy5JzgY/k56ZNdmZ7jUylO60P6mo4o.
Please contact your system administrator.
Update the SSHFP RR in DNS with the new host key to get rid of this message.
The authenticity of host 'wigan.l3jane.net (172.31.108.132)' can't be established.
ECDSA key fingerprint is SHA256:+I0aL8rLHidzOoy5JzgY/k56ZNdmZ7jUylO60P6mo4o.
No matching host key fingerprint found in DNS.

$ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g  1 Mar 2016

I confirmed with a tcpdump that the DNS server is answering correctly with all the possible keys, the only strange thing is that some fingerprint appear with a space in the dig DNS answer (although this space doesn't appear on the TCP capture, so I understand is the way dig shows the information).