Wandering Thoughts archives

2023-11-06

What client host keys OpenSSH ssh uses for host based authentication

One of the authentication options of OpenSSH, if it's enabled on both the server and the client, is host based authentication using the client's SSH host keys. On the client, this is controlled by EnableSSHKeysign and HostbasedAuthentication; on the server, by HostbasedAuthentication and perhaps IgnoreRhosts. Suppose, not hypothetically, that you use this along with some personal SSH keys, and some day you try to connect to some new system and get rudely disconnected before you get prompted for a password. The direct answer to what's happening is that you've run into the server's limit on how many different authentication options it will let you try (this can also come up if you have a lot of personal keys), set by the server's MaxAuthTries. Further, when you run 'ssh -v' to see where all the identities are coming from, a number of them are client SSH host keys, including a type of host key that you don't even use (you've explicitly set HostKey in your sshd_config to not include them).

Since you're running into limits on the number of identities you can offer, and some of them are from the host keys, it would be nice to control what client host keys you offer to the server. Or at least to understand where this is set and why, for example, 'ssh -v' says that you're offering a 'ecdsa-sha2-nistp256' host key when you don't even use ECDSA. Unfortunately, today all of this is underdocumented and it's somewhat hard to control, although not impossible.

Based on reading the source code, the decisions about what host keys to try to sign and where to find them are split between ssh-keysign and ssh itself, although in a confusing way. Both ssh and ssh-keysign look for the default, traditional names of the host keys (such as /etc/ssh/ssh_host_rsa_key) and determine what host keys to offer based on a combination of what files are present and what host key algorithms ssh likes. Ssh-keysign is ultimately responsible for reading the keys, so what it looks for and finds limits what ssh can ask for.

(Both ssh and ssh-keysign hard code these key paths, although the ssh-keysign source code has a comment that it should use your sshd_config to determine the key paths.)

There are two ways to control what host keys are ultimately used, the brute force way and the nominally correct way. The brute force way is to entirely remove (or rename) the host key files in /etc/ssh for the host key types you don't use. For example, if you don't use ECDSA keys and set HostKey in your sshd_config to exclude them, remove /etc/ssh/ssh_host_ecdsa_key* (which was probably created automatically by, for example, the Ubuntu Linux installer).

The nominally correct way is to change what hostbased authentication algorithms ssh will try to use (well, ask ssh-keysign to use), which is controlled by the HostbasedAcceptedAlgorithms directive from ssh_config (in older OpenSSH versions, this is called HostbasedKeyTypes instead). You can set this to a restricted list, or you can use the OpenSSH '-' syntax to remove some algorithms, for example:

HostbasedAcceptedAlgorithms -ecdsa-sha2-nistp256

The host keys that your ssh will offer to the server for hostbased authentication are those keys that are both available under their standard names in /etc/ssh and allowed by HostbasedAcceptedAlgorithms. Note that some key types can be used by more than one algorithm; working out what algorithms you need to disallow is left as an exercise.

(As you'd expect, this doesn't affect what key algorithms can be used for personal keys. If you want to use personal ECDSA keypairs, you still can.)

Because ssh and ssh-keysign don't currently pay attention to the ssh server configuration, you can play some tricks here that are probably unwise by moving or renaming some or even all SSH host keys that the server uses, specifying their new locations with HostKey sshd_config directives. If you move the server's RSA key but not its ED25519 key, the server will identify itself with both but ssh on the server will only try to use the ED25519 key to authenticate to other servers. More extreme tricks are at least theoretically possible but I'm not going to describe them here.

sysadmin/OpenSSHWhatKeysForKeysigning written at 22:40:12; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.