2293 – ssh should have an option to automatically trust a local sshd's host key for a given set of names

Bug 2293 - ssh should have an option to automatically trust a local sshd's host key for a given set of names

Summary: ssh should have an option to automatically trust a local sshd's host key for ...

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	6.7p1
Hardware:	All All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_7_7
	Show dependency tree / graph

Reported:	2014-10-15 08:11 AEDT by Christoph Anton Mitterer
Modified:	2021-04-23 15:08 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christoph Anton Mitterer 2014-10-15 08:11:55 AEDT

Hi.

I think it would be nice, if there was an option that lets ssh automatically trust hostkeys from a local sshd for a given set of names.

One could have e.g. the options:
1) LocalTrustedPublicHostKeyFiles
This would specify the locations of the files, where the public keys are found.
It could default to every file given in a HostKey directive in /etc/ssh/sshd_config.
But it should also allow a list of files to be given, just in case people run more than one sshd on their host, e.g. bound to different addresses and/or ports,... some in VMs or from "within" a chroot.


2) LocalTrustedHostNames
That should be a list of names for which only the keys from (1) will be considered valid.
Ideally it should default to anything that one can use to reach the local sshd's, which may include things like:
127.0.0.0/8
::1
localhost
hostname
hostname.fqdn
If possible also any local v4 and v6 addresses/prefixes, which is actually a bit tricky, since you may also have things like link local addresses/prefixes.

Even better it would do that only for addresses/names, where the local sshd really listens on.


Cheers,
Chris.

Comment 1 Christoph Anton Mitterer 2014-10-21 12:57:06 AEDT

I just saw, that NoHostAuthenticationForLocalhost=yes nearly already does what I've asked for.

It even works for other names than "localhost", e.g. "ip6-localhost" or "hostname" "hostname.fqdn", so I guess the check, whether a target is localhost, is based on whether it resolves to 127.0.0.0/8 or ::1 , right?

1) I think it would be nice to have it in the manpage, how it actually determines whether a host is local.


2) The only thing what would be missing from what I've asked for above, is that it would also work for addresses (and names resolving to these) that are bound to local interfaces, e.g. if my eth0 listens to 1.2.3.4, then it is accepted as well.

But I'm no longer sure myself, whether this would be so smart and secure.
The loopback device is defined to really go to the localhost only, but any other addresses my have black magic functionality (e.g. address rewriting).



I've reworked the documentation a bit:
https://github.com/openssh/openssh-portable/pull/10

Afterwards I think we can close this issue.

Comment 2 Damien Miller 2018-02-10 17:39:04 AEDT

I've committed 4f011daa4cad to clean up the NoHostAuthenticationForLocalhost explanation.

For hosts other than localhost, you can use "Match host" + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no

Comment 3 Damien Miller 2021-04-23 15:08:47 AEST

closing resolved bugs as of 8.6p1 release