Bug 3219

Summary: Can't connect to a server that is using several host keys of the same type
Product: Portable OpenSSH Reporter: jatjasjem
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm
Priority: P5    
Version: 8.4p1   
Hardware: amd64   
OS: Linux   

Description jatjasjem 2020-10-03 07:40:34 AEST 
According to RFC 4253, "There MAY be multiple host keys for a host, possibly 
with different algorithms." (https://tools.ietf.org/html/rfc4253#section-7.1)

It is possible to connect using all keys that are using different algorithms 
(e.g. you can use ecdsa-sha2-nistp256 and ecdsa-sha2-nistp521 at the same 
time). It also seems to be possible to *specify* multiple keys of the same 
type (e.g. two ecdsa-sha2-nistp256 keys). But in the latter case, I couldn't 
connect using any key except the first one that was specified in configuration.

To reproduce, run

    $ rm ~/.ssh/known_hosts
    $ cd /etc/ssh/
    $ ssh-keygen -t rsa -f ssh_host_rsa_key_2
    $ `which sshd` -ddd -p 23 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key \
          -oHostKey=/etc/ssh/ssh_host_rsa_key_2 

Note that both keys are loaded:

    debug1: private host key #0: ssh-rsa SHA256:xlqcusIXWGVZHjhv4HCW8mE5UfJi/rv6feiIL5sL9kE
    debug1: private host key #1: ssh-rsa SHA256:HkcubZ7yV//gGxmHhOnB72gdy0nWnlNkkgBkwMHS9t4

Also note that host key algorithms has duplicate strings. This probably should
not be happening:

    debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]

Connect and accept the key

    $ ssh user@localhost -p 23
    The authenticity of host '[localhost]:23 ([127.0.0.1]:23)' can't be established.
    RSA key fingerprint is SHA256:xlqcusIXWGVZHjhv4HCW8mE5UfJi/rv6feiIL5sL9kE.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '[localhost]:23' (RSA) to the list of known hosts.
    user@localhost's password:

Reconnect to verify that the key is known:

    $ ssh user@localhost -p 23
    user@localhost's password:

Now rerurn sshd but swap the two host keys, and try to connect:

    $ `which sshd` -ddd -p 23 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key_2 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key 

    $ ssh user@localhost -p 23
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    SHA256:HkcubZ7yV//gGxmHhOnB72gdy0nWnlNkkgBkwMHS9t4.
    Please contact your system administrator.
    Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
    Offending RSA key in /home/user/.ssh/known_hosts:1
    RSA host key for [localhost]:23 has changed and you have requested strict checking.
    Host key verification failed.

Also note the output of ssh-keyscan (rerun sshd wihout -d's)—it only includes
the first key:

    $ `which sshd` -p 23 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key_2 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key 
    $ ssh-keyscan -p 23 localhost
    # localhost:23 SSH-2.0-OpenSSH_8.4
    [localhost]:23 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2fitD0wgrjJNzlTeVjLH8KWCkZMW19BoRtiy64WTxGfADZugofpzgjk5+MWD+IQLWTsFeuuNU8ygwAvY9l2EfAC88U2mXbAWYRpkKrm9GWEja3d2mrEx3caRNGwhk6bG4YO+nid9KbdgpYzJp06EQG/DSIcvdohW8qwQJc0Of6l6j0Kam+p8NjKVkbXeJ7L//n52TTGjqfnydqDRk1IDq/2hf2sS88rYZ6PA4UrT0l1k/jWhLyKp4YL2p5dzgv9fbnn7LIhZhNhTugyjtZQdI5sxgtbqX13GSfOtWF811wlwuiDbDDWG69TmueKPnBUj9MQY4KILrw+Y/agLa6b9MMIrdj/ahYRfR9/TVYWQ4zsBmmmuqN4QiaRGvxaP24pYBeGvL6aU4YhKIFln89ENS9NQvCFtAX315OcnFOY+Xq6bGpGiAdess4a01O5GJzO4ePFDXZgRZlwoIwVC/edk+tl8VwQ9WxswuRsb4mq/mBGUZNfyjlkI2gu3TnZd0JM8=
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4    

In the case of different ECDSA keys, the behavior is similar. However, in this
case it is possible to connect by demanding the specific host key algorithm:

    $ rm ~/.ssh/known_hosts
    $ `which sshd` -p 23 \
          -oHostKey=/etc/ssh/ssh_host_ecdsa_256 \
          -oHostKey=/etc/ssh/ssh_host_ecdsa_521
    $ ssh-keyscan -p 23 localhost
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    [localhost]:23 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL+Lcu52+K6lal94JOmPItpyMiqL57VrWZ1fmX9ntom+RiJahg8dRMR8dCxtUdo8782LwbH0uYWj/iaGh4DMJRg=
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    $ ssh user@localhost -p 23 -oHostKeyAlgorithms=ecdsa-sha2-nistp256
    The authenticity of host '[localhost]:23 ([127.0.0.1]:23)' can't be established.
    ECDSA key fingerprint is SHA256:TsMF+1PrXvdV9XNfrN3oYMvlL6sUc4koxtX8JekLBIY.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C
    $ ssh user@localhost -p 23 -oHostKeyAlgorithms=ecdsa-sha2-nistp521
    The authenticity of host '[localhost]:23 ([127.0.0.1]:23)' can't be established.
    ECDSA key fingerprint is SHA256:Egg8iKcjEXSAUuzn/fLEOniOzB6BNXaXzd52FPQxYr0.
Comment 1 Damien Miller 2020-10-03 10:13:05 AEST 
The SSH protocol does allow a host to have multiple host keys, but only one is ever offered at a time. The protocol contains no support for requesting or learning additional host keys of the same type. See https://tools.ietf.org/html/rfc4253#page-22 - the key exchange only includes a single hostkey.

If you want your client to learn all the hostkeys that a host offers then use the UpdateHostkeys option. This is an OpenSSH protocol extension designed to fix this situation that will be enabled by default in OpenSSH 8.5.
Comment 2 jatjasjem 2020-10-04 03:18:26 AEDT 
I am not sure what would be the use of multiple host keys of the same type if
only one is offered at the same time. It the protocol doesn't allow retrying
using a different host key, perhaps the server could refuse to start if given
several host keys of the same type?

In either case, while is possible to connect using different ECDSA keys, the
algorithms must be specified explicitly. This seems to be due to the fact that
given an ECDSA key `order_hostkeyalgs` in `sshconnect2.c` will return all
ECDSA host key algorithms, including the ones incompatible with the key. This,
in turn, seems to be due to the fact that OpenSSH considers the three ECDSA
keys as being of the same type. 

Since you can't verify e.g. ECDSA nistp521 signature using 
"ecdsa-sha2-nistp384", perhaps OpenSSH could view the ECDSA keys as 
different ones?
Comment 3 Damien Miller 2020-10-04 14:33:49 AEDT 
(In reply to jatjasjem from comment #2)
> I am not sure what would be the use of multiple host keys of the
> same type if
> only one is offered at the same time. It the protocol doesn't allow
> retrying
> using a different host key, perhaps the server could refuse to start
> if given
> several host keys of the same type?

No, because we have a protocol extension (UpdateHostkeys) that makes multiple host keys of the same type actually useful, e.g. gracefully rotating keys.

> In either case, while is possible to connect using different ECDSA
> keys, the
> algorithms must be specified explicitly. This seems to be due to the
> fact that
> given an ECDSA key `order_hostkeyalgs` in `sshconnect2.c` will
> return all
> ECDSA host key algorithms, including the ones incompatible with the
> key. This,
> in turn, seems to be due to the fact that OpenSSH considers the
> three ECDSA
> keys as being of the same type. 
> 
> Since you can't verify e.g. ECDSA nistp521 signature using 
> "ecdsa-sha2-nistp384", perhaps OpenSSH could view the ECDSA keys as 
> different ones?

Yes, I'll fix that.
Comment 4 Damien Miller 2021-03-04 09:52:16 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle