Re: Fixing exchange of host keys in the SSH key exchange

To: "Peter Gutmann" <pgut001%cs.auckland.ac.nz@localhost>, "Mouse" <mouse%Rodents-Montreal.ORG@localhost>, <ietf-ssh%NetBSD.org@localhost>
Subject: Re: Fixing exchange of host keys in the SSH key exchange
From: "denis bider \(Bitvise\)" <ietf-ssh3%denisbider.com@localhost>
Date: Sun, 26 Mar 2017 19:20:47 -0600

Peter:

https://www.usenix.org/system/files/login/articles/
105484-Gutmann.pdf

This article is actually a strong argument in favor of Expect-Key, orsomething like it.

What you found is NOT that people use TOFU (Trust On First Use). They useTWAT - Trust Whatever, Any Time:

I asked the IT support staff how many users had called
or emailed to verify the SSH server key whenever it had
changed in the past several years. They were unable to
recall a single case, or locate any records, of any user
ever verifying any SSH server key out-of-band

This is highly problematic because it means that, while SSH is supposed todefend against MITM in theory, it does not defend in practice.

OpenSSH already addresses this in their client, I believe, by making itreally quite hard to verify a changed key. Many users further configure theOpenSSH client to require a key to be set up for the first connection, tobegin with.

Expect-Key just extends that - which I think is a good practice - to allclients, in general, enforceable as a server-side policy. It defeats TWAT.

Conversely, it means the vast majority won't use it.

Users will use what administrators set up for them. If admins don't want toset up Expect-Key, fine. But this gives them a tool.


denis



----- Original Message -----
From: Peter Gutmann
Sent: Sunday, March 26, 2017 02:53
To: Mouse ; ietf-ssh%NetBSD.org@localhost
Subject: Re: Fixing exchange of host keys in the SSH key exchange

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

As far as I can see, this affects the user only in that "pick up the hostkey
on first connect" no longer works.


It breaks TOFU.  Since this is how the vast majority of all users use SSH

(ref:https://www.usenix.org/system/files/login/articles/105484-Gutmann.pdf),it means it would break SSH for them. Conversely, it means the vastmajority

won't use it.

Then this suggestion has the additional feature that it will smoke out such
bugs!


Trying to smoke out non-standards-compliant implementations at this point,
about twenty-odd after SSH2 started getting deployed, is probably a bit late
in the game.

Also, does this mean any implemenation that doesn't correctly implement aMUST

or MUST NOT can regarded as broken and discarded?

Peter.

Follow-Ups:
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Mouse
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Peter Gutmann

References:
- Fixing exchange of host keys in the SSH key exchange
  - From: denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Mouse
- Re: Fixing exchange of host keys in the SSH key exchange
  - From: Peter Gutmann

Prev by Date: Re: Fixing exchange of host keys in the SSH key exchange
Next by Date: Re: Fixing exchange of host keys in the SSH key exchange
Previous by Thread: Re: Fixing exchange of host keys in the SSH key exchange
Next by Thread: Re: Fixing exchange of host keys in the SSH key exchange
Indexes:

Home | Main Index | Thread Index | Old Index