draft-ietf-secsh-dns-00.txt   draft-ietf-secsh-dns-01.txt 
Secure Shell Working Group J. Schlyter Secure Shell Working Group J. Schlyter
Internet-Draft Carlstedt Research & Internet-Draft Carlstedt Research &
Expires: February 10, 2003 Technology Expires: May 4, 2003 Technology
W. Griffin W. Griffin
Network Associates Laboratories Network Associates Laboratories
August 12, 2002 November 3, 2002
Using DNS to securely publish SSH key fingerprints Using DNS to securely publish SSH key fingerprints
draft-ietf-secsh-dns-00.txt draft-ietf-secsh-dns-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt. www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 10, 2003. This Internet-Draft will expire on May 4, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
This document describes a method to verify SSH host keys using This document describes a method to verify SSH host keys using
DNSSEC. The document defines a new DNS resource record that contains DNSSEC. The document defines a new DNS resource record that contains
a standard SSH key fingerprint. a standard SSH key fingerprint.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. SSH Host Key Verification . . . . . . . . . . . . . . . . . 3 2. SSH Host Key Verification . . . . . . . . . . . . . . . . . 3
2.1 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Fingerprint matching . . . . . . . . . . . . . . . . . . . . 3 2.2 Implementation notes . . . . . . . . . . . . . . . . . . . . 3
2.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . 3 2.3 Fingerprint matching . . . . . . . . . . . . . . . . . . . . 4
2.4 Authentication . . . . . . . . . . . . . . . . . . . . . . . 4
3. The SSHFP resource record . . . . . . . . . . . . . . . . . 4 3. The SSHFP resource record . . . . . . . . . . . . . . . . . 4
3.1 The SSHFP RDATA format . . . . . . . . . . . . . . . . . . . 4 3.1 The SSHFP RDATA format . . . . . . . . . . . . . . . . . . . 4
3.1.1 Algorithm number specification . . . . . . . . . . . . . . . 4 3.1.1 Algorithm number specification . . . . . . . . . . . . . . . 4
3.1.2 Fingerprint type specification . . . . . . . . . . . . . . . 4 3.1.2 Fingerprint type specification . . . . . . . . . . . . . . . 5
3.1.3 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.3 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2 Presentation format of the SSHFP RR . . . . . . . . . . . . 5 3.2 Presentation format of the SSHFP RR . . . . . . . . . . . . 5
4. Security considerations . . . . . . . . . . . . . . . . . . 5 4. Security considerations . . . . . . . . . . . . . . . . . . 5
4.1 Backend transport integrity . . . . . . . . . . . . . . . . 5 5. IANA considerations . . . . . . . . . . . . . . . . . . . . 6
4.2 Effects on the SSH trust model . . . . . . . . . . . . . . . 5 References . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. IANA considerations . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
References . . . . . . . . . . . . . . . . . . . . . . . . . 6 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 7 Full Copyright Statement . . . . . . . . . . . . . . . . . . 9
A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
Full Copyright Statement . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
The SSH [9] protocol provides secure remote login and other secure The SSH [9] protocol provides secure remote login and other secure
network services over an insecure network. The security of the network services over an insecure network. The security of the
connection relies on the server authenticating itself to the client. connection relies on the server authenticating itself to the client.
Server authentication is normally done by presenting the fingerprint Server authentication is normally done by presenting the fingerprint
of an unknown public key to the user for verification. If the user of an unknown public key to the user for verification. If the user
decides the fingerprint is correct and accepts the key, the key is decides the fingerprint is correct and accepts the key, the key is
skipping to change at page 3, line 42 skipping to change at page 3, line 42
2. SSH Host Key Verification 2. SSH Host Key Verification
2.1 Method 2.1 Method
Upon connection to a SSH server, the SSH client MAY look up the SSHFP Upon connection to a SSH server, the SSH client MAY look up the SSHFP
resource record(s) for the host it is connecting to. If the resource record(s) for the host it is connecting to. If the
algorithm and fingerprint of the key received from the SSH server algorithm and fingerprint of the key received from the SSH server
matches the algorithm and fingerprint of one of the SSHFP resource matches the algorithm and fingerprint of one of the SSHFP resource
record(s) returned from DNS, the client MAY accept the identity of record(s) returned from DNS, the client MAY accept the identity of
the server. It is RECOMMENDED that the client ask the user for the server.
confirmation before accepting the identity of the server.
2.2 Fingerprint matching 2.2 Implementation notes
Client implementors SHOULD to provide a configurable policy used to
select the order of methods used to verify a host key and which
fingerprints to trust ultimately, after user confirmation or not at
all.
2.3 Fingerprint matching
The public key and the SSHFP resource record are matched together by The public key and the SSHFP resource record are matched together by
comparing algorithm number and fingerprint. comparing algorithm number and fingerprint.
2.3 Authentication 2.4 Authentication
A public key verified using this method MUST only be trusted if the A public key verified using this method MUST only be trusted if the
SSHFP RR used for verification was authenticated by a trusted SIG RR. SSHFP RR used for verification was authenticated by a trusted SIG RR.
Clients that do not validate the DNSSEC signatures themselves MUST Clients that do not validate the DNSSEC signatures themselves MUST
use a secure transport, e.g. TSIG [6], SIG(0) [7] or IPsec [4], use a secure transport, e.g. TSIG [6], SIG(0) [7] or IPsec [4],
between themselves and the entity performing the signature between themselves and the entity performing the signature
validation. validation.
3. The SSHFP resource record 3. The SSHFP resource record
skipping to change at page 5, line 30 skipping to change at page 5, line 43
3.2 Presentation format of the SSHFP RR 3.2 Presentation format of the SSHFP RR
The presentation format of the SSHFP resource record consists of two The presentation format of the SSHFP resource record consists of two
numbers (algorithm and fingerprint type) followed by the fingerprint numbers (algorithm and fingerprint type) followed by the fingerprint
itself presented in hex, e.g: itself presented in hex, e.g:
host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890 host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890
4. Security considerations 4. Security considerations
4.1 Backend transport integrity Currently, the amount of trust a user can realistically place in a
server key is proportional to the amount of attention paid to
verifying that the key presented is actually the key at the server.
If a user accepts a key without verifying the fingerprint with
something learned through a secured channel, the connection is
vulnerable to a man-in-the-middle attack.
The approach suggested here shifts the burden of key checking from
each user of a machine to the key checking performed by the
administrator of the DNS recursive server used to resolve the host
information. Hopefully, by reducing the number of times that keys
need to be verified by hand, each verification is performed more
completely. Furthermore, by requiring an administrator do the
checking, the result may be more reliable than placing this task in
the hands of an application user.
The overall security of using SSHFP for SSH host key verification is
dependent on detailed aspects of how verification is done in SSH
implementations. One such aspect is in which order fingerprints are
looked up (e.g. first checking local file and then SSHFP). We note
that in addition to protecting the first-time transfer of host keys,
SSHFP can optionally be used for stronger host key protection.
If SSHFP is checked first, new SSH host keys may be distributed by
replacing the corresponding SSHFP in DNS.
If SSH host key verification can be configured to require SSHFP,
we can implement SSH host key revocation by removing the
corresponding SSHFP from DNS.
As stated in Section 2.2, we recommend that SSH implementors provide
a policy mechanism to control the order of methods used for host key
verification.
Another dependency is on the implementation of DNSSEC itself. As
stated in Section 2.4, we mandate the use of secure methods for
lookup and that SSHFP RRs are authenticated by trusted SIG RRs. This
is especially important if SSHFP is to be used as a basis for host
key rollover and/or revocation, as described above.
Since DNSSEC only protects the integrity of the host key fingerprint Since DNSSEC only protects the integrity of the host key fingerprint
after it is signed by the DNS zone administrator, the fingerprint after it is signed by the DNS zone administrator, the fingerprint
must be transfered securely from the SSH host administrator to the must be transferred securely from the SSH host administrator to the
DNS zone administrator. This could be done manually between the DNS zone administrator. This could be done manually between the
administrators or automatically using secure DNS dynamic update [8] administrators or automatically using secure DNS dynamic update [8]
between the SSH server and the nameserver. between the SSH server and the nameserver. We note that this is no
different from other key enrollment situations, e.g. a client
4.2 Effects on the SSH trust model sending a certificate request to a certificate authority for signing.
... to be written ...
5. IANA considerations 5. IANA considerations
IANA needs to allocate a RR type code for SSHFP from the standard RR IANA needs to allocate a RR type code for SSHFP from the standard RR
type space. type space (type 44 requested).
IANA needs to open a new registry for the SSHFP RR type for public IANA needs to open a new registry for the SSHFP RR type for public
key algorithms. Defined types are: key algorithms. Defined types are:
0 is reserved 0 is reserved
1 is RSA 1 is RSA
2 is DSA 2 is DSA
Adding new reservations requires IETF consensus. Adding new reservations requires IETF consensus.
skipping to change at page 6, line 48 skipping to change at page 7, line 48
2845, May 2000. 2845, May 2000.
[7] Eastlake, D., "DNS Request and Transaction Signatures ( [7] Eastlake, D., "DNS Request and Transaction Signatures (
SIG(0)s)", RFC 2931, September 2000. SIG(0)s)", RFC 2931, September 2000.
[8] Wellington, B., "Secure Domain Name System (DNS) Dynamic [8] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000. Update", RFC 3007, November 2000.
[9] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T J. and S. [9] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T J. and S.
Lehtinen, "SSH Transport Layer Protocol", work in progress Lehtinen, "SSH Transport Layer Protocol", work in progress
draft-ietf-secsh-architecture-12.txt, March 2002. draft-ietf-secsh-architecture-13.txt, September 2002.
[10] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T J. and S. [10] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T J. and S.
Lehtinen, "SSH Transport Layer Protocol", work in progress Lehtinen, "SSH Transport Layer Protocol", work in progress
draft-ietf-secsh-transport-14.txt, March 2002. draft-ietf-secsh-transport-15.txt, September 2002.
Authors' Addresses Authors' Addresses
Jakob Schlyter Jakob Schlyter
Carlstedt Research & Technology Carlstedt Research & Technology
Stora Badhusgatan 18-20 Stora Badhusgatan 18-20
Goteborg SE-411 21 Goteborg SE-411 21
Sweden Sweden
EMail: jakob@crt.se EMail: jakob@crt.se
skipping to change at page 7, line 30 skipping to change at page 8, line 30
USA USA
EMail: wgriffin@tislabs.com EMail: wgriffin@tislabs.com
URI: http://www.nailabs.com/ URI: http://www.nailabs.com/
Appendix A. Acknowledgements Appendix A. Acknowledgements
The authors gratefully acknowledges, in no particular order, the The authors gratefully acknowledges, in no particular order, the
contributions of the following persons: contributions of the following persons:
Bill Sommerfeld Martin Fredriksson
Olafur Gudmundsson Olafur Gudmundsson
Edward Lewis Edward Lewis
Bill Sommerfeld
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/