2400 – Fully refuse changed hostkeys when StrictHostKeyChecking=no

Bug 2400 - Fully refuse changed hostkeys when StrictHostKeyChecking=no

Summary: Fully refuse changed hostkeys when StrictHostKeyChecking=no

Status:	ASSIGNED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	6.8p1
Hardware:	All All

Importance:	P5 enhancement
Assignee:	Damien Miller

URL:
Keywords:

Depends on:
Blocks:	3176
	Show dependency tree / graph

Reported:	2015-05-18 11:16 AEST by mik
Modified:	2020-06-02 08:09 AEST (History)
CC List:	3 users (show)

See Also:

Attachments
Patch against ssh_config(5) (643 bytes, patch) 2015-08-13 15:39 AEST, mik	no flags	Details \| Diff
add StrictHostkeyChecking=accept-new\|off (6.09 KB, patch) 2016-03-04 14:18 AEDT, Damien Miller	no flags	Details \| Diff
updated to -current (6.09 KB, patch) 2017-09-01 16:20 AEST, Damien Miller	no flags	Details \| Diff
flip meaning of StrictHostKeyChecking=no (506 bytes, patch) 2018-06-08 13:49 AEST, Damien Miller	no flags	Details \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mik 2015-05-18 11:16:35 AEST

The legacy behaviour of StrictHostKeyChecking=no involves allowing connections even if the host key has changed.  What most deployments want when they set this is just TOFU.

It is common for batch processing and cluster systems to deploy with this option permanently set, completely undermining the security of such systems - for example, an attacker could intercept a data processing stage to steal a copy of all of the private data.

Comment 1 mik 2015-05-18 16:05:29 AEST

From the man page:
If this flag is set to “no”, ssh will automatically add new host keys to the user known hosts files.

No mention of the HOST_CHANGED behaviour, so even somebody who mostly knows what they're doing is likely to get it wrong.  Most people who use this option are better off with certificates now (or StrictHostKeyChecking=yes + ssh-keyscan).

Comment 2 Damien Miller 2015-08-11 22:59:13 AEST

Retarget pending bugs to openssh-7.1

Comment 3 mik 2015-08-13 15:39:36 AEST

Created attachment 2682 [details]
Patch against ssh_config(5)

Comment 4 Damien Miller 2016-02-26 14:44:28 AEDT

Retarget to openssh-7.3

Comment 5 Damien Miller 2016-02-26 14:47:22 AEDT

Retarget to openssh-7.3

Comment 6 Damien Miller 2016-03-04 14:18:28 AEDT

Created attachment 2794 [details]
add StrictHostkeyChecking=accept-new|off

This adds a couple more granular options to StrictHostkeyChecking: "accept-new" (better name wanted) and "off".

StrictHostkeyChecking=off is the current behaviour of "no".

StrictHostkeyChecking=accept-new will accept new hostkeys without prompting but will disconnect for changed hostkeys.

If this goes in then we can make StrictHostkeyChecking=no a synonym for accept-new at some future time (and with forewarning).

Comment 7 Jim Knoble 2016-03-04 18:55:56 AEDT

Instead of "accept-new", how about "StrictHostkeyChecking=known-only" or "known-hosts" or similar? That is more obvious about which host keys are strict (and "known-hosts" implies the file of a similar name where such keys are stored...).

Comment 8 Damien Miller 2016-07-22 14:10:56 AEST

retarget unfinished bugs to next release

Comment 9 Damien Miller 2016-07-22 14:14:47 AEST

retarget unfinished bugs to next release

Comment 10 Damien Miller 2016-07-22 14:15:40 AEST

retarget unfinished bugs to next release

Comment 11 Damien Miller 2016-07-22 14:17:17 AEST

retarget unfinished bugs to next release

Comment 12 Damien Miller 2016-12-16 14:31:22 AEDT

OpenSSH 7.4 release is closing; punt the bugs to 7.5

Comment 13 Damien Miller 2017-06-30 13:43:03 AEST

Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back.

To calibrate expectations, there's little chance all of these are going to make 7.6.

Comment 14 Damien Miller 2017-06-30 13:44:32 AEST

remove 7.5 target

Comment 15 Damien Miller 2017-09-01 16:20:47 AEST

Created attachment 3049 [details]
updated to -current

Comment 16 Damien Miller 2017-09-04 09:39:28 AEST

Patch is applied; will be in openssh-7.6

Comment 17 Damien Miller 2018-04-06 13:12:22 AEST

Move to OpenSSH 7.8 tracking bug

Comment 18 Damien Miller 2018-06-08 13:49:32 AEST

Created attachment 3159 [details]
flip meaning of StrictHostKeyChecking=no

The only thing remaining in this bug is to change the meaning of StrictHostKeyChecking=no from accepting changed host keys (with restrictions) to refusing them. We'll wait a few more releases before committing this.

Comment 19 Damien Miller 2018-06-08 13:50:14 AEST

Remove release target for now