Re: Fixing exchange of host keys in the SSH key exchange

To: "Peter Gutmann" <pgut001%cs.auckland.ac.nz@localhost>, <ietf-ssh%netbsd.org@localhost>
Subject: Re: Fixing exchange of host keys in the SSH key exchange
From: "denis bider \(Bitvise\)" <ietf-ssh3%denisbider.com@localhost>
Date: Sat, 25 Mar 2017 13:09:55 -0600

Peter:

> this prevents the situation where the client will present
> the user with a host key verification dialog, and the user
> will just click through it.

It also makes things a lot more painful for the user.

It helps ensure secure host key configuration. There are administrators whowould prefer this.

If this involves more pain than previously, the user was most likely notmanaging host key trust to the same standards.

If you regularly need to SSH into a dozen different devices
to administer them, it gets even worse.

This is meant for administrators who would want to enable this policy. Thiswould be a server-side policy, so if you're administering machines, youcould avoid configuring this policy.

> drive-by password guessing becomes largely impossible,
> since unknown attackers do not know the server’s host key.

This is really just an awkward form of port-knocking.

Yes, and we have other mechanisms for this (e.g. protocol obfuscation). Inthis case, it's a nice effect you get for free, in case you enable thispolicy.

> Server implementations that do not know about this extension,
> but correctly implement the spec,

How do we know what percentage of servers do this?


We don't, it would be necessary to test this.

Which means, probably, I would have to test this.

Mouse pointed out I was wrong about the spec. It turns out RFC 4253 providesfor text before version string when sent by servers, not by clients. It'sdefinitely necessary to test.

As discussed with Mouse, if this exact method doesn't work, there arealternatives. Server could send "expect-key" host key alg in KEXINIT, andclient could send a new message SSH_MSG_EXPECT_KEYS after its KEXINIT. Thiswould still solve the primary objective, but would not have all the samenice properties. E.g. the server could not use that to avoid fingerprinting.

it has the potential to break lots of things


That seems to be the main potential downside of the method as presented.

But there are other ways to do it, and the suggested approach could beproven safe in testing.



denis


----- Original Message -----
From: Peter Gutmann
Sent: Friday, March 24, 2017 01:22
To: denis bider (Bitvise) ; ietf-ssh%netbsd.org@localhost
Cc: djm%mindrot.org@localhost ; Simon Tatham
Subject: Re: Fixing exchange of host keys in the SSH key exchange

denis bider (Bitvise) <ietf-ssh3%denisbider.com@localhost> writes:

(1) Security benefit: although the client could still not verify the server’s
signature during key exchange, or could do any number of other things
incorrectly; under reasonable assumptions, if the client has to communicate
one or more fingerprints of the server’s host key(s) before KEXINIT, this

prevents the situation where the client will present the user with a hostkey

verification dialog, and the user will just click through it.


It also makes things a lot more painful for the user.  If you regularly need

to SSH into a dozen different devices to administer them, it gets evenworse.

(2) Security benefit: on servers that enable this policy, and prevent

connections where the client does not communicate a correct server hostkey,

drive-by password guessing becomes largely impossible, since unknown
attackers do not know the server’s host key.


This is really just an awkward form of port-knocking.  If you want to use a
port-knocking-style mechanism, you should probably do it properly.  If you

want to bind a client to a server ("only this client, only this server")then

there are better ways of doing it than this.

Server implementations that do not know about this extension, but correctly
implement the spec,


How do we know what percentage of servers do this?  It's true that the spec

says you should expect other stuff in the textual data, but since prettymucheverything out there only ever sends the SSH ID string, it's quite likelythatlots of implementations will choke on unexpected extra lines of text. Evenin

cases where the code does try and handle non-SSH-ID lines, the absence of
anything that sends them means it's probably never been tested.

This doesn't seem like a good idea, it has the potential to break lots of
things, while what you're getting in return could be done better in other
ways.

Peter.

References:
- Fixing exchange of host keys in the SSH key exchange
  - From: denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Peter Gutmann

Prev by Date: Re: Fixing exchange of host keys in the SSH key exchange
Next by Date: Re: Fixing exchange of host keys in the SSH key exchange
Previous by Thread: Re: Fixing exchange of host keys in the SSH key exchange
Next by Thread: Re: Fixing exchange of host keys in the SSH key exchange
Indexes:

Home | Main Index | Thread Index | Old Index