Tech/Protocols/SSH

From lathama
Jump to navigation Jump to search

Use DNS SSHFP Resource Record

Confirming a host in normal SSH prompts the user if the host is unknown. Many users just accept the connection by typing "yes" and the host is saved in the known_hosts file. You can validate against DNS with SSHFP[1]_record which is fast and fun. You can read the RFC[2] also.

Modern versions of Linux OS require and option in the resolv.conf [3] 

options edns0 trust-ad

Example Setup

To the bottom of the OpenSSH Client config at /etc/ssh/ssh_config add the following 

VerifyHostKeyDNS yes

DNS Security is required and there can be issues and problems with how GLIBC works. You may need to add this to your /etc/resolvers.conf 

options edns0 trust-ad

On the target host that you want to trust the hostkeys run 

$ ssh-keygen -r lathama.net
lathama.net IN SSHFP 1 1 d6e3140f7bd5bcc1818033f36d099e1d816e3028
lathama.net IN SSHFP 1 2 1b176aa089c687e522a8910537633ceb14ccffbc867941df327c480f0fa42e13
lathama.net IN SSHFP 3 1 a800d2366f21b4debb46cd5adc9d21c5ee18df2a
lathama.net IN SSHFP 3 2 9b4cc3d674d39d694e9f6fd87f726674542cc2f9af58f9066e837476493dc689
lathama.net IN SSHFP 4 1 d0beecedb5eae665495320260360597267375f6c
lathama.net IN SSHFP 4 2 020f5a2a45d8fd25ff52dbde87c0360437ed3c3a899c09fd319a6a3d9f9dddad

Add these records to DNS for the domain/host you wish to have SSH host keys trusted. Validate the DNS with dig. 

$ dig +short lathama.net SSHFP
1 1 D6E3140F7BD5BCC1818033F36D099E1D816E3028
1 2 1B176AA089C687E522A8910537633CEB14CCFFBC867941DF327C480F 0FA42E13
3 1 A800D2366F21B4DEBB46CD5ADC9D21C5EE18DF2A
3 2 9B4CC3D674D39D694E9F6FD87F726674542CC2F9AF58F9066E837476 493DC689
4 1 D0BEECEDB5EAE665495320260360597267375F6C
4 2 020F5A2A45D8FD25FF52DBDE87C0360437ED3C3A899C09FD319A6A3D 9F9DDDAD

Then remove any existing trusts via the ssh-keygen tool. 

$ ssh-keygen -R lathama.net

Everything should be working so now time to test. 

$ ssh lathama.net "uptime"
17:04:51 up 6 days, 18:56,  1 user,  load average: 0.00, 0.00, 0.00

To double check that try again. 

$ ssh-keygen -R lathama.net
Host lathama.net not found in /home/lathama/.ssh/known_hosts
$ ssh lathama.net "uptime"
17:04:51 up 6 days, 18:56,  1 user,  load average: 0.00, 0.00, 0.00

SSH Host Key Setup

Some times for systems like Nagios you need to just allow the hostkeys and not check them to get started fast. in /home/nagios/.ssh/config add 

host *
  StrictHostKeyChecking no

Make sure the file is chmod 600 or maybe 640 would work.


Legacy Devices

An extreme example of enabling legacy algorithms and ciphers to log into a legacy device. 

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss -c aes256-cbc 192.168.15.252

Fingerprinting

In /etc/ssh/ssh_config you can configure the client to not ask for fingerprints which is the default. If you are often rebuilding systems then the fingerprint would not have the same value as with a long running system. 

StrictHostKeyChecking no

Or on the CLI 

ssh -o StrictHostKeyChecking=no targethostnamehere

References

  1. https://en.wikipedia.org/wiki/SSHFP
  2. https://tools.ietf.org/html/rfc4255
  3. https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1898590/comments/10
Retrieved from "https://lathama.net/index.php?title=Tech/Protocols/SSH&oldid=92"