Brew openssh is not working with SSHFP/DNSSEC records (High Sierra)

(Jonathan Duncan) #1

tags: #sshfp, #dnssec, #ldns, #openssh, #openssl

On macOS 10.13 (High Sierra) upgrading openssh to version 7.5p1 and higher causes a problem with LDNS. This is a known bug.

Exact message when using ssh -vvv to a remote system which relies on SSHFP:

debug3: verify_host_key_dns
DNS lookup error: general failure
debug3: hostkeys_foreach: reading file “~/.ssh/known_hosts”
debug3: hostkeys_foreach: reading file “~/.ssh/known_hosts”
The authenticity of host ‘’ can’t be established.

One interim fix is to use an older version (if you have one on your system) with brew by using this command (or similar):

brew switch openssh 7.4p1

I have brought up this issue with the people on the OpenSSH list:

sshfp/ldns still having issues in 7.6

In that thread it was suggested that using getdns instead of ldns could be a good alternate solution.

A related bug was opened and closed already:
“[OpenSSH] OpenSSH v7.5p1, Homebrew revision 1 Fails to Build on OS X ‘El Capitan’ v10.11.6”

I am only seeing this on High Sierra.

Anyone else running into this problem?

(Jonathan Duncan) #2

For the moment, openssh is now doing DNS lookups. I am not sure exactly how I achieved this. I did update the openssh.rb formula to make ldns a requirement. Then I ran brew install --build-from-source openssh. I also did several other things. So I cannot yet duplicate this. If/when I run into this again I will continue the troubleshooting process. Updates tend to break things. I also support other users running a similar setup, so I will likely have the opportunity to again.

(Jonathan Duncan) #4

The problem is back for me. I was trying to think of changes that I recently made that might affect this. I have done a brew update && brew upgrade recently, but I did not notice any updates to openssh, openssl, or ldns. I also let Apple install version 9.4 of Command Line Tools. Here are my current versions:

openssh: OpenSSH_7.7p1, OpenSSL 1.0.2o  27 Mar 2018
openssl: stable 1.0.2o (bottled) [keg-only]
ldns: stable 1.7.0 (bottled)
LibreSSL 2.2.7 (also on the system but not in brew and not the one that OpenSSH was built with)

I removed openssh from brew and upgraded macOS from version 10.13.4 to 10.13.5. I am now trying the macOS version of SSH. My version is OpenSSH_7.6p1, LibreSSL 2.6.2. At least the DNS aspect is working.

debug3: verify_host_key_dns
debug1: found 1 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

(Jonathan Duncan) #5

I ran brew install --build-from-source openssh --with-ldns and even though it said, Warning: openssh: this formula has no --with-ldns option so it will be ignored!, ssh is now correctly using dns and finding secure fingerprints for me.

(Jonathan Duncan) #6

I recently ran brew update && brew upgrade which switched me from openssh 7.7p1 to openssh 7.8p1. After the switch sshfp started having connection problems again. For now I have switched back to 7.7p1.