[Bug 3221] New: hostkey preference ordering is broken in some situations

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Oct 20 03:07:56 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3221

            Bug ID: 3221
           Summary: hostkey preference ordering is broken in some
                    situations
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: nuxi at vault24.org

We have a server at work that had the following key types: ssh-rsa,
ecdsa-sha2-nistp256, ssh-ed25519.

Recently at new key of type ssh-ed25519-cert-v01 at openssh.com was added
to the server and its causing some host key verification errors under
OpenSSH 8.4p1 if the known_hosts file already contains the
ecdsa-sha2-nistp256 key. If you're using an older version of OpenSSH or
your known_hosts file has the ssh-rsa key, then this doesn't happen.

I think that this is because in 8.4p1 the host key ordering algorithm
was changed to not do anything if it thinks the known key is the same
type as the first key in the default priority. This change didn't take
into account the fact that all the certificate algorithms were
prioritized over the non-certificate algorithms.

https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

Before this change, if an ECDSA key was encountered in the known_hosts
file the preference would be changed to prefer the ECDSA type over
ED25519-cert. The order would be: ECDSA-cert, ECDSA, ED25519-cert,
RSA-cert, ED25519, RSA

After this change it detects that ECDSA is already the top priority and
leaves the order alone, which means that ED25519-cert is prefered over
ECDSA. The default order is: ECDSA-cert, ED25519-cert, RSA-cert, ECDSA,
ED25519, RSA

# here is the server's host key advertisement from the debug output:

debug2: host key algorithms:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com

# get all the host keys

$ ssh-keyscan -t ssh-ed25519 10.201.18.12 > known_host_ed25519
# 10.201.18.12:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
$ ssh-keyscan -t ssh-rsa 10.201.18.12 > known_host_rsa
# 10.201.18.12:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
$ ssh-keyscan -t ecdsa-sha2-nistp256 10.201.18.12 > known_host_ecdsa
# 10.201.18.12:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

# No problems with OpenSSH 8.3p1

$ ssh -V
OpenSSH_8.3p1 Debian-1, OpenSSL 1.1.1h  22 Sep 2020
$ ssh -o UserKnownHostsFile=known_host_ecdsa 10.201.18.12 /bin/true
$ ssh -o UserKnownHostsFile=known_host_rsa 10.201.18.12 /bin/true
$ ssh -o UserKnownHostsFile=known_host_ed25519 10.201.18.12 /bin/true

# OpenSSH 8.4p1 gives a host key verification error if the known key is
ECDSA

$ ./ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1h  22 Sep 2020
$ ./ssh -o UserKnownHostsFile=known_host_ecdsa 10.201.18.12 /bin/true
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:LTkLApkY9YiVCTzXQawvLtpUgv2D1IYVzMbcsa+96OY.
Please contact your system administrator.
Add correct host key in known_host_ecdsa to get rid of this message.
Offending ECDSA key in known_host_ecdsa:1
ED25519 host key for 10.201.18.12 has changed and you have requested
strict checking.
Host key verification failed.
$ ./ssh -o UserKnownHostsFile=known_host_rsa 10.201.18.12 /bin/true
$ ./ssh -o UserKnownHostsFile=known_host_ed25519 10.201.18.12 /bin/true

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list