Re: [Feature Request] Add (and check against) IP to known_hosts even when domain is used to connect

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello Bob and thank you for your reply,

first of all I hope that I'm answering in the right way since I had enabled the daily digest and I'm not sure if it's the right way to use Thunderbirds "Reply List" feature on this digest. If it's wrong this way I apologize. I turned of the daily digest so my next messages should be correct.

Are you aware of HostKeyAlias?
Yes I read that but as far as I understand the feature is more like aliasing commands in linux (so i.e if I have a server which I use as webserver I could create the alias "webserver", configure the hostname, port etc. and then just use the alias "webserver" instead of typing the whole line with port etc. OpenSSH will then act as if I typed everything like it's saved in the alias configuration. So if I understood that right I don't really see how this helps me with my specific problem.

Regardless of other things, for a set of servers I recommend using
ssh-keyscan to pre-populate the known_hosts file.
Yea you're right. Currently my approach is far from perfect (I currently just rely that everything is correct when first connecting to a newly created server)

but it isn't clear to me where you were thinking
of those wildcards.
By wildcards I meant the feature to change the entry in known_hosts to *.mydomain.com which would match this hostkey to the ssh commands webserver.example.com, database.example.com etc.

An example name or two to help us understand the type of naming you
are using would help make this more concrete.
Sure, here you go (just a made-up example):

Imagine I have two servers, Server A has the ip AA.AA.AA.AA, Server B has the ip BB.BB.BB.BB

I have to following services running on A:

- Webserver for website 1

- Mailserver

- Database for the Website

And the following on B

- Some backend in node

- an gitlab instance

- gitlab database

- Webserver for website 2

Further I have the domain mydomain.com

Now I would create the following dns records:

webserver.mydomain.com A-Record with content AA.AA.AA.AA

mailserver.mydomain.com A-Record with content AA.AA.AA.AA

[...]

node-backend.mydomain.com A-Record with content BB.BB.BB.BB

gitlab.mydomain.com A-Record with content BB.BB.BB.BB

[...]

If I had to add another service I would install it on one of the servers and then I would create a respective record and from there on I could connect to the server running the service by using its respective dns name (i.e. if I'd like to ssh into the server running the mailserver I'd just type ssh username@xxxxxxxxxxxxxxxxxxxxxxx

Until now it sounds like something easy to accomplish with the Alias feature. *But* this has a few disadventages to me:

- It requires a client side configuration which would need to be synced between multiple clients (i.e. laptop, pc)

- It requires to make a change (and resync to all my devices) this config when I move a service to another server instead of just changing the DNS settings which are automatically in sync

- My end-goal goes even further (I left that out in the first mail because it makes everything sound way more complex but I'll try to explain it briefly now:)

What I really want to create in the end is something like this:

A service (probably web based). Let's say it has the domain myservice.net. At the beginning I want to use the service just for me, later users shall be able to create a subdomain on this service (for free), i.e. username.myservice.net.

Then they shall be able to add their servers (so it's ipv4 and/or ipv6 ips) like they would add A and AAAA records in every normal DNS service. The special thing is that they can add a description for every server. This may be keywords or even a short text summarizing all services running on the server.

The special thing is a custom designed DNS server (which I already started to implement since I did not knew that known_hosts does not save the ip but instead the hostname to check a servers fingerprint).

This DNS server implements a feature that I'd call "search by DNS". I think I should explain it with the example from above.

So Imagine I created the subdomain joshua.myservice.net on the service

Then I'd add my servers A and B with its respective ip adresses AA.AA.AA.AA and BB.BB.BB.BB

For server A the description could look like this: "This server runs a webserver for website 1, a mailserver and the respective database for the website"

And server B's description could look like "This server runs the node backend, the gitlab instance, the respective database for gitlab and the webserver for website 2"

Now I want to be able to use all subdomains under joshua.myservice.net as a search-query which resolves to the respective server as soon as the search has exactly one result (this is what the custom DNS server implements)

So i.e. I could type ssh username@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Since only the description of Server B contains the words "git" *and* "database" this is the only server matching the search term and so it's resolved to the IP of server B, BB.BB.BB.BB

*But* (and this is why I think wildcards and aliases are not suitable for this) the same search could also look like this:

database.gitlab.joshua.myservice.net OR gitlab-data.myservice.net and so on.

So there is an infinit number of hostnames for each server. Also since many users could use the service and it (or one of the servers) *could* be hacked I don't want to use a wildcard like *.joshua.myservice.net. (what I mean by wildcard is explained above) This would open an attack vector like described here (https://superuser.com/a/1328615/933511) (under heading "security caveat")

In my opinion a service like this could be really useful (at least for me) but I don't think that it would be usable if it opens up even a small attack vector or if it requires more then one small client-side configuration change.

So as far as I can see the only option to make this useful and keep it secure would be if there was an option like I described to add (and check) hostkeys by ip even if a hostname is used to connect.

Sorry for the long message, it's pretty hard for me to explain it in detail in english


Thank you for your time again

Kind regards

Joshua


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux