OpenSSH has broader key revocation than I thought

October 31, 2018

A while back, OpenSSH gained support for doing host and user authentication through a local Certificate Authority. Instead of directly trusting public keys, you configured a CA (or more than one) and then trusted anything signed by that CA. For user keys, this has the usual weakness of the basic CA model; for host keys, it's probably an improvement in practice but I'd like to know what happens if you get handed a new CA-signed host key for a host that you already saw one for.

If you're sensible, when you add Certificate Authorities to a security system you also add key revocation. So I wasn't particularly surprised to read in passing that OpenSSH supported key revocation, and I didn't think anything more about it. For years, I've assumed that OpenSSH's key revocation was intended for and limited to CA-signed keys. As I discovered recently when I actually looked at the relevant sections of the manual pages, this is not the case. While revoking keys appears to have been added to OpenSSH along with CA signed keys in OpenSSH 5.4 (released in early 2010), they were never limited to revoking only those keys. OpenSSH key revocation can be used to block any SSH key, and it's been that way from the beginning.

(For instance, the sshd_config(5) manpage is very specific on this, saying about RevokedKeys that 'keys listed in this file will be refused for public key authentication'. Any keys. And in fact it cautions you that if this file is unreadable, all keys will be refused.)

Keys to be revoked can be specified in a variety of ways, per the manpage. The most straightforward one is simply one public key per line, exactly as you'd put them in authorized_keys (and perhaps that's where you get them from). For CA-signed keys, you have a couple of options spelled out in ssh-keygen(1)'s 'Key Revocation Lists'. OpenSSH 7.9 adds some additional useful options, but that's another entry (especially since it will probably be a few years before it's relevant to us; Ubuntu 18.04 is probably unlikely to update their version, much less 16.04).

With that said, I'm not sure there's much use for key revocation in our particular environment because people have only a single home directory and thus a single authorized_keys to maintain. If a key is compromised, it just gets removed.

(I'm assuming that attackers won't reuse keys that they add to someone's authorized_keys and so there's no point in blocking further uses of such a key. This may be wrong.)

Written on 31 October 2018.
« Shooting myself in the foot by cargo-culting Apache configuration bits
Do I feel uncertain about CentOS's future now? Yes, a bit »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Oct 31 01:45:50 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.