Human readable .ssh/known_hosts?

Demi M. Obenour demiobenour at gmail.com
Thu Oct 1 12:29:09 AEST 2020


On 2020-09-30 20:38, Bob Proulx wrote:
> Nico Kadel-Garcia wrote:
>> Damien Miller wrote:
>>> Again, you should read the documentation for CheckHostIP. Turing it off
>>> makes known_hosts solely bind to hostnames and, as long as you use names
>>> to refer to hosts, avoids any problems caused by IP address reuse.
>>
>> Have you used AWS? Unless you spend the time and effort, the hostname
>> registered in AWS DNS is based on the IP address. Many people do *not*
>> use consistent subnets for distinct classes of server or specific OS
>> images, so different servers wind up on the same IP address with
>> distinct hostkeys based on factors like autoscaling, for which IP
>> addresses are not predictable. You can work around it, by locking down
>> and sharing hostkeys for your OS images, or by segregating subnets
>> based on application and corresponding OS image. These present other
>> burdens.
> 
> I use AWS and therefore will say a few words here.  The general
> default for an AWS EC2 node is that the hostname will look like this.
> 
>     root at ip-172-31-29-33:~# hostname
>     ip-172-31-29-33
> 
> And note that this is in the RFC1918 unroutable private IP space.
> That is not and cannot be the public IP address.  The public IP
> address is routed to it through an edge route.  It's mapped.  (And
> always IPv4 since Amazon has been slow to support IPv6 and AFAIK
> elastic IP addresses can only be IPv4 still to this day.)
> 
> And if one doesn't do anything then by default Amazon will provide a
> DNS name for it in their domain space.  In the case of the above it
> will be something like this.  [ Which I have obscured in an obvious
> way.  Do you immediately spot why this cannot be valid? :-) ]
> 
>     ec2-35-168-278-321.compute-1.amazonaws.com
> 
> So in an auto-scale-out elastic configuration one might create a node
> ip-172-31-29-33 at noon, might destroy that node by evening, and then
> tomorrow recreate the node again as ip-172-31-10-42 but with the same
> public IP address and associated amazonaws.com DNS name.
> 
> This host key collision with the AWS provided DNS name is only a
> problem if 1) one uses the AWS provided DNS name and 2) one uses a
> randomly generated ssh host key.  Avoiding this problem can be done by
> avoiding either of those two things.  I don't do either of them.
> 
> I don't use the AWS supplied DNS name.  I use my own DNS name in the
> my domain space.  However I know the stated problem was lack of
> control of the DNS.  Okay.  But note that anyone can register a random
> domain and and then have control of that namespace.  I have used my
> own domain name for my personal use when working with client systems.
> Nothing prevents this.
> 
> Also for an elastic node that is just a template produced machine then
> I believe that one should override the random ssh host key with a
> static host key appropriate for the role it is performing.  This can
> be done at instantiation time automatically using any of cloud-init or
> ansible or other system configuration tool.  Since it then has a
> repeatable host key for the role then it won't mismatch when
> connecting to it.  When re-created fresh it will have the same host
> key that it had before.  I do this.
> 
> In a previous life I used to manage a bare metal compute farm and when
> the machines are simply srv001 through srv600 and all exactly
> equivalent and smashed and recreated as needed then there is no need
> for them to have unique host keys.  That's counterproductive.  I set
> them all the same as appropriate for their role.
> 
> Bob

I strongly recommend switching to SSH certificates instead.  You can
write a program that provisions each node a certificate based on its
AWS-provided identity information, which is cryptographicly signed
by an AWS secret key and so cannot be forged.

Sincerely,

Demi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200930/cda50303/attachment.asc>


More information about the openssh-unix-dev mailing list