ECDSA and first connection; bug?

Phil Pennock phil.pennock at globnix.org
Fri Jan 28 07:04:39 EST 2011 

On 2011-01-25 at 09:25 +1100, Damien Miller wrote:
> On Mon, 24 Jan 2011, Phil Pennock wrote:
> > I read the 5.7 release announcement and updated, to try out ECDSA.  Most
> > parts worked very smoothly.  The inability to create SSHFP records is
> > understandable, since IANA haven't allocated a code yet.
> > 
> > One apparent bug: I think StrictHostKeyChecking=ask is broken for ECDSA.
> > 
> > % ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 localhost
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> 
> This is deliberate. 
> 
> Previously, a malicious server could arrange for ssh(1) to display a
> less-scary message for a changed hostkey if its host key happened to
> be a different type to one that has already been learned.
> 
> Now there should be no surprises since ssh(1) will automatically request
> hostkey type matching keys that are already known, though this does not
> occur when you override HostkeyAlgorithms (like you did). We talked about
> whether we should retain the old message in this case or not, but thought
> the safest thing to do would be consistent with the non-explicit-
> HostkeyAlgorithms case.

I accept the argument that this should be done in a more safe manner.

When I was investigating why things were failing, the error messages
given were actively confusing and led to multiple false starts, trying
to figure out what was going wrong.  Before, this error message meant
that another host-key of the *same* type had been found and therefore
there was a change which was likely an attack, while a different message
was used when you were connecting with a new key-type.

Clearer diagnostic messages which state the actual problem, rather than
recycling what was the error message for a completely different problem,
would lead to less confusion.

Eg:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Your connection negotiated host key algorithm "ecdsa-sha2-nistp256".
You have not previously connected with this algorithm but you have
connected with: "rsa", "dsa"
Please add the new host key to your known_hosts file manually.
See also: ssh-keyscan(1)
[exit]

-Phil

More information about the openssh-unix-dev mailing list