[Bug 3219] New: Can't connect to a server that is using several host keys of the same type

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Oct 3 07:40:34 AEST 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3219

            Bug ID: 3219
           Summary: Can't connect to a server that is using several host
                    keys of the same type
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jatjasjem at gmail.com

According to RFC 4253, "There MAY be multiple host keys for a host,
possibly 
with different algorithms."
(https://tools.ietf.org/html/rfc4253#section-7.1)

It is possible to connect using all keys that are using different
algorithms 
(e.g. you can use ecdsa-sha2-nistp256 and ecdsa-sha2-nistp521 at the
same 
time). It also seems to be possible to *specify* multiple keys of the
same 
type (e.g. two ecdsa-sha2-nistp256 keys). But in the latter case, I
couldn't 
connect using any key except the first one that was specified in
configuration.

To reproduce, run

    $ rm ~/.ssh/known_hosts
    $ cd /etc/ssh/
    $ ssh-keygen -t rsa -f ssh_host_rsa_key_2
    $ `which sshd` -ddd -p 23 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key \
          -oHostKey=/etc/ssh/ssh_host_rsa_key_2 

Note that both keys are loaded:

    debug1: private host key #0: ssh-rsa
SHA256:xlqcusIXWGVZHjhv4HCW8mE5UfJi/rv6feiIL5sL9kE
    debug1: private host key #1: ssh-rsa
SHA256:HkcubZ7yV//gGxmHhOnB72gdy0nWnlNkkgBkwMHS9t4

Also note that host key algorithms has duplicate strings. This probably
should
not be happening:

    debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
[preauth]

Connect and accept the key

    $ ssh user at localhost -p 23
    The authenticity of host '[localhost]:23 ([127.0.0.1]:23)' can't be
established.
    RSA key fingerprint is
SHA256:xlqcusIXWGVZHjhv4HCW8mE5UfJi/rv6feiIL5sL9kE.
    Are you sure you want to continue connecting
(yes/no/[fingerprint])? yes
    Warning: Permanently added '[localhost]:23' (RSA) to the list of
known hosts.
    user at localhost's password:

Reconnect to verify that the key is known:

    $ ssh user at localhost -p 23
    user at localhost's password:

Now rerurn sshd but swap the two host keys, and try to connect:

    $ `which sshd` -ddd -p 23 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key_2 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key 

    $ ssh user at localhost -p 23
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    SHA256:HkcubZ7yV//gGxmHhOnB72gdy0nWnlNkkgBkwMHS9t4.
    Please contact your system administrator.
    Add correct host key in /home/user/.ssh/known_hosts to get rid of
this message.
    Offending RSA key in /home/user/.ssh/known_hosts:1
    RSA host key for [localhost]:23 has changed and you have requested
strict checking.
    Host key verification failed.

Also note the output of ssh-keyscan (rerun sshd wihout -d's)—it only
includes
the first key:

    $ `which sshd` -p 23 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key_2 \
          -oHostKey=/etc/ssh/ssh_host_rsa_key 
    $ ssh-keyscan -p 23 localhost
    # localhost:23 SSH-2.0-OpenSSH_8.4
    [localhost]:23 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQC2fitD0wgrjJNzlTeVjLH8KWCkZMW19BoRtiy64WTxGfADZugofpzgjk5+MWD+IQLWTsFeuuNU8ygwAvY9l2EfAC88U2mXbAWYRpkKrm9GWEja3d2mrEx3caRNGwhk6bG4YO+nid9KbdgpYzJp06EQG/DSIcvdohW8qwQJc0Of6l6j0Kam+p8NjKVkbXeJ7L//n52TTGjqfnydqDRk1IDq/2hf2sS88rYZ6PA4UrT0l1k/jWhLyKp4YL2p5dzgv9fbnn7LIhZhNhTugyjtZQdI5sxgtbqX13GSfOtWF811wlwuiDbDDWG69TmueKPnBUj9MQY4KILrw+Y/agLa6b9MMIrdj/ahYRfR9/TVYWQ4zsBmmmuqN4QiaRGvxaP24pYBeGvL6aU4YhKIFln89ENS9NQvCFtAX315OcnFOY+Xq6bGpGiAdess4a01O5GJzO4ePFDXZgRZlwoIwVC/edk+tl8VwQ9WxswuRsb4mq/mBGUZNfyjlkI2gu3TnZd0JM8=
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4    

In the case of different ECDSA keys, the behavior is similar. However,
in this
case it is possible to connect by demanding the specific host key
algorithm:

    $ rm ~/.ssh/known_hosts
    $ `which sshd` -p 23 \
          -oHostKey=/etc/ssh/ssh_host_ecdsa_256 \
          -oHostKey=/etc/ssh/ssh_host_ecdsa_521
    $ ssh-keyscan -p 23 localhost
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    [localhost]:23 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL+Lcu52+K6lal94JOmPItpyMiqL57VrWZ1fmX9ntom+RiJahg8dRMR8dCxtUdo8782LwbH0uYWj/iaGh4DMJRg=
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    # localhost:23 SSH-2.0-OpenSSH_8.4
    $ ssh user at localhost -p 23 -oHostKeyAlgorithms=ecdsa-sha2-nistp256
    The authenticity of host '[localhost]:23 ([127.0.0.1]:23)' can't be
established.
    ECDSA key fingerprint is
SHA256:TsMF+1PrXvdV9XNfrN3oYMvlL6sUc4koxtX8JekLBIY.
    Are you sure you want to continue connecting
(yes/no/[fingerprint])? ^C
    $ ssh user at localhost -p 23 -oHostKeyAlgorithms=ecdsa-sha2-nistp521
    The authenticity of host '[localhost]:23 ([127.0.0.1]:23)' can't be
established.
    ECDSA key fingerprint is
SHA256:Egg8iKcjEXSAUuzn/fLEOniOzB6BNXaXzd52FPQxYr0.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list