VisualHostKey vs. RekeyLimit vs. VerifyHostKeyDNS
Damien Miller
djm at mindrot.org
Fri Jan 3 16:22:18 EST 2014
On Thu, 2 Jan 2014, Gerald Turner wrote:
> Hello list, I'm not sure whether this is bug worthy or just my own
> insanity. I'm using 6.4p1 packages from Debian jessie and
> wheezy-backports.
>
> I like VisualHostKey, although it may not add any protection (other than
> not trusting ones own known_hosts file?), I've become accustomed to it
> as it seems that extra neurons fire when I log into a host and get a
> visual cue of what looks like a strawberry or jester hat and suddenly a
> catalog of frequent commands relevant to the particular host surface in
> mind ;-)
>
> I have two configuration problems that make VisualHostKey less usable.
>
> * RekeyLimit
>
> I'm no crypto expert, pretty much cargo-culting here, but from bits and
> pieces I've read, it seems like re-keying is crucial for a cipher like
> AES-GCM. Maybe it's just a gut feeling inspired by strongSwan IPsec
> daemons which are constantly re-keying.
>
> Every time the cipher is re-keyed, VisualHostKey clobbers the terminal,
> usually with broken line feeds such that the ascii-art is unintelligible
> and wraps off the right side of the terminal. This is annoying,
> especially with a screen(1) full of ssh sessions that may be idle and
> re-keyed several times over a weekend, coming back and having to work
> through clearing the screens of each session (^L suffices for a shell or
> emacs, but sometimes the session is in a curses application, or lost
> information while tailing a log, etc.). This gets uglier when making
> use of the fantastic ControlPersist options - seemingly logged out ssh
> session still blast the initial terminal with re-keying fingerprints.
Could you please file a bug for this on https://bugzilla.mindrot.org/ ?
We should suppress the message on rekeying.
> * VerifyHostKeyDNS=yes
>
> It seems VerifyHostKeyDNS=yes short-circuits VisualHostKey - it's
> neither displayed on initial connection, or on re-keying (good).
If you really want to see it, maybe we could make a
VisualHostKey=always option?
> So I have a funny setup:
>
> For hosts which have SSHFP records, I have set VerifyHostKeyDNS=yes
> and ineffectively set VisualHostKey=yes (never prints), and can also
> set a timed RekeyLimit rate.
>
> For hosts which don't have SSHFP, I could leave RekeyLimit at the
> default (1G none) and rarely see the re-key fingerprints, however in
> an all-or-nothing sort of decision, simply set VisualHostKey=no and be
> done with it.
>
> Am I missing something? Is there a way to comfortably get VisualHostKey
> back? Perhaps a trivial/wishlist bug with re-keying should be filed?
>
> Perhaps this is already solved by bug 2154, "Avoid key lookup overhead
> when re-keying":
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2154
Yes, it probably is.
> P.S. I think it's wonderful you folks are working on curve25519,
> ed25519, and chacha20+poly1305. I've moved a bunch of systems to ECDHE
> last year, great speedup, especially from crap Atom clients, but feel
> that I've shot myself in the foot after Schneier's denouncement of the
> NIST curves.
IMO the concerns about the NIST EC curves are a bit overblown. If the NSA
had some way of breaking EC directly, then they wouldn't need to resort
to things like Dual_EC_DRBG.
-d
More information about the openssh-unix-dev
mailing list