Bug 2400

Summary:

Fully refuse changed hostkeys when StrictHostKeyChecking=no

Product:

Portable OpenSSH

Reporter:

mik

Component:

ssh

Assignee:

Damien Miller <djm>

Status:

ASSIGNED ---

Severity:

enhancement

CC:

djm, jmknoble, mik

Priority:

Version:

6.8p1

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

3176

Attachments:

Description	Flags
Patch against ssh_config(5)	none
add StrictHostkeyChecking=accept-new\|off	none
updated to -current	none
flip meaning of StrictHostKeyChecking=no	none

Description mik 2015-05-18 11:16:35 AEST

The legacy behaviour of StrictHostKeyChecking=no involves allowing connections even if the host key has changed.  What most deployments want when they set this is just TOFU.

It is common for batch processing and cluster systems to deploy with this option permanently set, completely undermining the security of such systems - for example, an attacker could intercept a data processing stage to steal a copy of all of the private data.

Comment 1 mik 2015-05-18 16:05:29 AEST

From the man page:
If this flag is set to “no”, ssh will automatically add new host keys to the user known hosts files.

No mention of the HOST_CHANGED behaviour, so even somebody who mostly knows what they're doing is likely to get it wrong.  Most people who use this option are better off with certificates now (or StrictHostKeyChecking=yes + ssh-keyscan).

Comment 2 Damien Miller 2015-08-11 22:59:13 AEST

Retarget pending bugs to openssh-7.1

Comment 3 mik 2015-08-13 15:39:36 AEST

Created attachment 2682 [details]
Patch against ssh_config(5)

Comment 4 Damien Miller 2016-02-26 14:44:28 AEDT

Retarget to openssh-7.3

Comment 5 Damien Miller 2016-02-26 14:47:22 AEDT

Retarget to openssh-7.3

Comment 6 Damien Miller 2016-03-04 14:18:28 AEDT

Created attachment 2794 [details]
add StrictHostkeyChecking=accept-new|off

This adds a couple more granular options to StrictHostkeyChecking: "accept-new" (better name wanted) and "off".

StrictHostkeyChecking=off is the current behaviour of "no".

StrictHostkeyChecking=accept-new will accept new hostkeys without prompting but will disconnect for changed hostkeys.

If this goes in then we can make StrictHostkeyChecking=no a synonym for accept-new at some future time (and with forewarning).

Comment 7 Jim Knoble 2016-03-04 18:55:56 AEDT

Instead of "accept-new", how about "StrictHostkeyChecking=known-only" or "known-hosts" or similar? That is more obvious about which host keys are strict (and "known-hosts" implies the file of a similar name where such keys are stored...).

Comment 8 Damien Miller 2016-07-22 14:10:56 AEST

retarget unfinished bugs to next release

Comment 9 Damien Miller 2016-07-22 14:14:47 AEST

retarget unfinished bugs to next release

Comment 10 Damien Miller 2016-07-22 14:15:40 AEST

retarget unfinished bugs to next release

Comment 11 Damien Miller 2016-07-22 14:17:17 AEST

retarget unfinished bugs to next release

Comment 12 Damien Miller 2016-12-16 14:31:22 AEDT

OpenSSH 7.4 release is closing; punt the bugs to 7.5

Comment 13 Damien Miller 2017-06-30 13:43:03 AEST

Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back.

To calibrate expectations, there's little chance all of these are going to make 7.6.

Comment 14 Damien Miller 2017-06-30 13:44:32 AEST

remove 7.5 target

Comment 15 Damien Miller 2017-09-01 16:20:47 AEST

Created attachment 3049 [details]
updated to -current

Comment 16 Damien Miller 2017-09-04 09:39:28 AEST

Patch is applied; will be in openssh-7.6

Comment 17 Damien Miller 2018-04-06 13:12:22 AEST

Move to OpenSSH 7.8 tracking bug

Comment 18 Damien Miller 2018-06-08 13:49:32 AEST

Created attachment 3159 [details]
flip meaning of StrictHostKeyChecking=no

The only thing remaining in this bug is to change the meaning of StrictHostKeyChecking=no from accepting changed host keys (with restrictions) to refusing them. We'll wait a few more releases before committing this.

Comment 19 Damien Miller 2018-06-08 13:50:14 AEST

Remove release target for now