Bug 3113 - StrictHostKeyChecking=no works with changed 1024 bit RSA hostkeys but fails when 2048 RSA
Summary: StrictHostKeyChecking=no works with changed 1024 bit RSA hostkeys but fails w...
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.6p1
Hardware: amd64 Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-17 21:39 AEDT by Andy Hart
Modified: 2021-04-23 14:54 AEST (History)
1 user (show)

See Also:

Attachments
SSH debug connection output as requested (9.18 KB, text/plain)
2020-01-28 02:29 AEDT, Andy Hart 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Hart 2020-01-17 21:39:49 AEDT 
We currently implement the StrictHostKeyChecking=no in a user account's ~/.ssh/config file, to ensure that automated backups aren't affected by a change of the ssh host key across cisco switches & firewalls, and netscaler load balancers. Recently one of these devices had its SSH host key change. The ssh client connecting to it (ubuntu 18.04, running openssh 7.6p1) failed to automatically accept and store the new key, preventing the backup from working. My investigation has identified that the ssh client would fail to automatically accept and store a changed SSH host key when it is of type 2048bits RSA, but will successfully accept and store a changed host key if it is of type 1024bits RSA. I have recreated this problem using a CentOS 7.6 server running openssh 7.4p1, acting as the SSH server, and a Ubuntu 18.04 server running openssh 7.6p1. Testing first with a 1024 bit RSA host key on the SSH server, I do an initial connection from my SSH client and accept the new key. I then made a single character change to the key stored in the ssh client's known hosts file and repeated the ssh connection. It successfully accepted the modified key and stored it. I then repeated the test but with a 2048 bit RSA host key on the SSH server, but after modifying the key, the second connection failed to accept and store the host key.

I have had the same results when using the "-o StrictHostKeyChecking=no" on the command line, rather than relying on the ~/.ssh/config file.
Comment 1 Damien Miller 2020-01-26 00:09:42 AEDT 
Could you please attach a debug trace ("ssh -vvv ...") from a client experiencing this problem?
Comment 2 Andy Hart 2020-01-28 02:29:18 AEDT 
Created attachment 3352 [details]
SSH debug connection output as requested

The debug output (ssh -vvv….) if from a ubuntu ssh client, connecting to a CentOS ssh server. For this capture, the SSH server has a 2048bit RSA host key. The client started with an empty known_hosts file, and made a first connection. It accepted and stored the SSH servers host key. I then modified the stored key in the clients known hosts file, and repeated the SSH connection , this time with the "-vvv" option . The connection failed with a warning about a MITM attack, i.e. despite the "StrictHostKeyChecking=no" set in the config file it did NOT accept the changed key. However, if I repeat this test with a 1024bit RSA key on the SSH server and no MITM attack is reported

Regards,
Andy
Comment 3 Damien Miller 2020-04-17 14:49:04 AEST 
This is the intended behaviour. StrictHostKeyChecking controls whether ssh accepts a *new* hostkey automatically. It is not intended to disable host key checking entirely.

I'd generally recommend against doing that, because an on-path attacker can trivially MITM your connections. If you really want to do this, then the easiest way is to pass "-oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" to ssh.
Comment 4 Damien Miller 2021-04-23 14:54:59 AEST 
closing resolved bugs as of 8.6p1 release