On Tue, Sep 29, 2020 at 8:07 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > > On Tue, 29 Sep 2020, Nico Kadel-Garcia wrote: > > > There are setups SSH targets where it is useful for, primarily > > externally and consistentlyconfigured hosts with stable DNS and > > hostkeys, such as github or gitlab. But for internal services, it's > > generally far more trouble than it's worth. Sorry for typos. I'm due for eye surgery on my *other* eye, which got canceled. > FWIW I think this is bad advice. > > Services are only "internal" to the extent that you can trust your network. > Search "SSL added and removed here" for a practical demonstration of this > assumption yielding undesirable results. Stable hostkeys are theoretically useful, but in practice have caused *far* more service disruption than they've prevented abuse. Few SSH users are cautious enough and thorough enough to review mismatched keys on an individual basis. The nearly universal "fix" is to simply delete $HOME/.sh/known_hosts, to clear your cache, and start it over from scratch. Clearing the keys is hindered by the hasing of the entries. > Disabling hostkey checking is a big hammer, but occasionally useful for > lab environments. Generally I recommend that people who are having trouble > with hostkey management consider using host certificates. Yes, it is a big hammer. It's a big hammer for a problem that, thinking back, I've needed to use it or some more arcane hammer for the same problem professionally at least once a year since.... 1995? When ssh-1 was first written? Signing the hostkeys means the labor and management of signing the hostkeys. It's time, work, and money for the servers, and time, work, and money configuring the clients to require them. When you're managing more than 10,000 servers, with a crew of 30, .and some fool mishandles hostkey preservation for an OS deployment..... it's a nasty problem. That was in.... 2000? Signed Hostkeys since OpenSSH 5.4 are a possibly better approach if you're actually concerned about SSH hostkey consistency. But the additional certificate signature is extra time, work, and money that very few environments, even large environments, are weilling to invest. The problem is especially drastic for git servers. Github and gitlab are consistent about the host keys., but many environments fail to preserve hostkeys when they build or update their git servers. I have..... stories about that one. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
