"Virtual hosts" for ssh

Dan Kaminsky dan at doxpara.com
Sat Jun 8 19:13:40 EST 2013


Host can always be malicious (believe me, I'm working on some attacks in
this space right now).  In this case, we're security equivalent to an
environment variable we can generally set anyway.

The entire authorized keys system is kind of crufty. What I like about this
request is that it's client only, it's immediately useful, and it points in
a useful direction. It's also hilariously simple.

On Saturday, June 8, 2013, Alex Bligh wrote:

> Dan,
>
> On 8 Jun 2013, at 09:34, Dan Kaminsky wrote:
>
> > Actually this isn't a bad idea. Seems like it's at the right layer,
> doesn't require protocol rework, and exists in a namespace OpenSSH can
> reasonably claim to own.  Only the client needs patching to upgrade the
> entire server space!  Looks like a useful feature to have on by default,
> with pretty deep historical evidence that sharing perceived DNS name is
> operationally valuable.  Not seeing a security impact; some concern about
> subsystems/sftp, but no need to block on that.
>
> +1.
>
> However, for maximum utility I think you are going to want
> to upgrade the server too, so whatever the 'virtual host'
> name is can be be subject to Match style logic, appear
> as %[something] etc. Ideally you would want it to
> to select different authorized_keys files, etc. etc.
> but that would obviously be too late in the day.
>
> Also unless the server sanitises this (which they won't
> if unpatched) server side users of the environment
> variable will need to be aware that a malicious
> client could set this maliciously, and catch the foolish
> who start in scripts without checking, assuming
> it's always a hostname or IP. IE it doesn't work
> like apache where the vhost has already been
> validated.
>
> --
> Alex Bligh
>
>
>
>
>


More information about the openssh-unix-dev mailing list