[Feature Request] Add (and check against) IP to known_hosts even when domain is used to connect

Joshua Dietz jospam at dietz-ulm.de
Wed Mar 25 02:23:37 AEDT 2020 

Hello Bob and thank you for your reply,

first of all I hope that I'm answering in the right way since I had 
enabled the daily digest and I'm not sure if it's the right way to use 
Thunderbirds "Reply List" feature on this digest. If it's wrong this way 
I apologize. I turned of the daily digest so my next messages should be 
correct.

> Are you aware of HostKeyAlias?
Yes I read that but as far as I understand the feature is more like 
aliasing commands in linux (so i.e if I have a server which I use as 
webserver I could create the alias "webserver", configure the hostname, 
port etc. and then just use the alias "webserver" instead of typing the 
whole line with port etc. OpenSSH will then act as if I typed everything 
like it's saved in the alias configuration. So if I understood that 
right I don't really see how this helps me with my specific problem.

> Regardless of other things, for a set of servers I recommend using
> ssh-keyscan to pre-populate the known_hosts file.
Yea you're right. Currently my approach is far from perfect (I currently 
just rely that everything is correct when first connecting to a newly 
created server)

> but it isn't clear to me where you were thinking
> of those wildcards.
By wildcards I meant the feature to change the entry in known_hosts to 
*.mydomain.com which would match this hostkey to the ssh commands 
webserver.example.com, database.example.com etc.

> An example name or two to help us understand the type of naming you
> are using would help make this more concrete.
Sure, here you go (just a made-up example):

Imagine I have two servers, Server A has the ip AA.AA.AA.AA, Server B 
has the ip BB.BB.BB.BB

I have to following services running on A:

- Webserver for website 1

- Mailserver

- Database for the Website

And the following on B

- Some backend in node

- an gitlab instance

- gitlab database

- Webserver for website 2

Further I have the domain mydomain.com

Now I would create the following dns records:

webserver.mydomain.com A-Record with content AA.AA.AA.AA

mailserver.mydomain.com A-Record with content AA.AA.AA.AA

[...]

node-backend.mydomain.com A-Record with content BB.BB.BB.BB

gitlab.mydomain.com A-Record with content BB.BB.BB.BB

[...]

If I had to add another service I would install it on one of the servers 
and then I would create a respective record and from there on I could 
connect to the server running the service by using its respective dns 
name (i.e. if I'd like to ssh into the server running the mailserver I'd 
just type ssh username at mailserver.mydomain.com

Until now it sounds like something easy to accomplish with the Alias 
feature. *But* this has a few disadventages to me:

- It requires a client side configuration which would need to be synced 
between multiple clients (i.e. laptop, pc)

- It requires to make a change (and resync to all my devices) this 
config when I move a service to another server instead of just changing 
the DNS settings which are automatically in sync

- My end-goal goes even further (I left that out in the first mail 
because it makes everything sound way more complex but I'll try to 
explain it briefly now:)

What I really want to create in the end is something like this:

A service (probably web based). Let's say it has the domain 
myservice.net. At the beginning I want to use the service just for me, 
later users shall be able to create a subdomain on this service (for 
free), i.e. username.myservice.net.

Then they shall be able to add their servers (so it's ipv4 and/or ipv6 
ips) like they would add A and AAAA records in every normal DNS service. 
The special thing is that they can add a description for every server. 
This may be keywords or even a short text summarizing all services 
running on the server.

The special thing is a custom designed DNS server (which I already 
started to implement since I did not knew that known_hosts does not save 
the ip but instead the hostname to check a servers fingerprint).

This DNS server implements a feature that I'd call "search by DNS". I 
think I should explain it with the example from above.

So Imagine I created the subdomain joshua.myservice.net on the service

Then I'd add my servers A and B with its respective ip adresses 
AA.AA.AA.AA and BB.BB.BB.BB

For server A the description could look like this: "This server runs a 
webserver for website 1, a mailserver and the respective database for 
the website"

And server B's description could look like "This server runs the node 
backend, the gitlab instance, the respective database for gitlab and the 
webserver for website 2"

Now I want to be able to use all subdomains under joshua.myservice.net 
as a search-query which resolves to the respective server as soon as the 
search has exactly one result (this is what the custom DNS server 
implements)

So i.e. I could type ssh username at git-database.joshua.myservice.net

Since only the description of Server B contains the words "git" *and* 
"database" this is the only server matching the search term and so it's 
resolved to the IP of server B, BB.BB.BB.BB

*But* (and this is why I think wildcards and aliases are not suitable 
for this) the same search could also look like this:

database.gitlab.joshua.myservice.net OR gitlab-data.myservice.net and so 
on.

So there is an infinit number of hostnames for each server. Also since 
many users could use the service and it (or one of the servers) *could* 
be hacked I don't want to use a wildcard like *.joshua.myservice.net. 
(what I mean by wildcard is explained above) This would open an attack 
vector like described here (https://superuser.com/a/1328615/933511) 
(under heading "security caveat")

In my opinion a service like this could be really useful (at least for 
me) but I don't think that it would be usable if it opens up even a 
small attack vector or if it requires more then one small client-side 
configuration change.

So as far as I can see the only option to make this useful and keep it 
secure would be if there was an option like I described to add (and 
check) hostkeys by ip even if a hostname is used to connect.

Sorry for the long message, it's pretty hard for me to explain it in 
detail in english


Thank you for your time again

Kind regards

Joshua

More information about the openssh-unix-dev mailing list