Secure shell and unique host keys
Jun. 21st, 2012 08:21 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
sawylSpent a big chunk of my afternoon going through the high level implementation of the secure shell protocol, patiently trying to explain to someone why replacing the host keys was (a) necessary; (b) why this work had caused a few, transient man-in-the-middle warnings; and (c) why these warnings could not possibily have triggered any of the problems he was concerned about.
Essentially, the problem has occurred because:
- in order to implement hostbased authentication, each host seems to require a unique public-private key pair (I haven't been able to convince myself, ab initio that this necessary, but I've also been unable to get hostbased authentication to work without it)
- all the OS images are clones of a single instance meaning that they default to using the same host key
- the only way to apply a customisation is through a post-boot script that copies the host-specific key into place halfway through the boot sequence, creating a window where the host will response to ssh requests with the wrong host key
- the caching of host keys in
~/.ssh/known_hostsmakes it possible for an invalid host key to be added to the system - someone has added
StrictHostChecking noto the configuration causing the commands to work even when the host keys don't match, further adding to the confusion
After explaining all this a couple of times, somewhat incoherently, and following it up with an email, I'm not entirely convinced that I managed to get my point across and I was tempted to round the discussion off with, "Trust me: even if you don't understand it, I do and it isn't a problem..." Fortunately, tact and good sense prevailed over scarcasm and desire to be patronising.
