Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: [EN] Testing the HostKey Rotation with OpenSSH 6.9  (Read 2239 times)

Offline musca

  • User
  • Posts: 725
  • sid, fly high!
[EN] Testing the HostKey Rotation with OpenSSH 6.9
« on: 2015/10/18, 00:52:15 »
Hello dear siduction users!
Debian has released OpenSSH 6.9 with an exciting new feature: Host Key Rotation has become reality!
Disclaimer: This new protocol extension must be evaluated by the openssh community and is still experimental.


# changelog for openssh-server 1:6.9p1-2
root@server:~$ zgrep -A4 rotation /usr/share/doc/openssh-server/changelog.Debian.gz
    - ssh(1), sshd(8): Experimental host key rotation support.
      Add a protocol extension for a server to inform a client of all its
      available host keys after authentication has completed.  The client
      may record the keys in known_hosts, allowing it to upgrade to better
      host key algorithms and a server to gracefully rotate its keys.

----------------------------- Phase 1 -----------------------------------------------------------------------------------
First have a look at the default situation (e.g. delivered with siduction IndianSummer or Debian Jessie).
On our server we have some preconfigured hostkeys (with inherent limitations).

root@server:~# grep HostKey /etc/ssh/sshd_config
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key


user@client:~$ wc -l .ssh/known_hosts
8 .ssh/known_hosts

user@client:~$ ssh server
The authenticity of host 'server (192.168.2.107)' can't be established.
ECDSA key fingerprint is SHA256:vKTEl9+6bodSXgQ//f+Sma6JfJ2KxczKhZHqjqAoTO0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server,192.168.2.107' (ECDSA) to the list of known hosts.
user@server's password:
Linux server 3.12-8.towo-siduction-amd64 #1 SMP PREEMPT Thu Jan 16 09:11:45 UTC 2014 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 17 12:26:36 2015
user@server:~$ logout
Connection to server closed.

user@client:~$ wc -l .ssh/known_hosts
9 .ssh/known_hosts

So, on the client for every server we have added exactly one entry in our known_hosts.
The ugly side is: Changing the selected Hostkey requires the user to remove the old entry from known_hosts.
In the second step the user has to verify the newly added HostKey. How do you know your involved finger prints?

----------------------------- Phase 2 --------------------------------------------------------------------------------------
Now let's move to the new Ecliptic Curve Diffie-Hellman (ED25519) algorithm for server authentication.


root@server:~# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
[... output snipped ...]
root@server:~# grep HostKey /etc/ssh/sshd_config
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key                   # Here I added a new HostKey line
root@server:~# systemctl restart sshd.service

user@client:~$ ssh -o UpdateHostKeys=True server        # we still use ecdsa_key from known_hosts
user@server's password:
Linux server 3.12-8.towo-siduction-amd64 #1 SMP PREEMPT Thu Jan 16 09:11:45 UTC 2014 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 17 19:53:18 2015 from 192.168.2.102
user@server:~$ logout
Connection to server closed.

user@client:~$ wc -l .ssh/known_hosts
12 .ssh/known_hosts                                 # success: 3 keys added for future use

So, on the client we use "UpdateHostKeys" to collect all offered keys from the server.
The openssh-client uses a configurable list of Key-Exchange (KEX-) Algorithms to select a HostKey.
By default ed25519 is preferred over ecdsa and rsa. dsa is too weak and must be avoided.

------------------------------- Phase 3 ----------------------------------------------------------------------
After a grace period for all clients, we can proceed and remove unused keys from the server.

root@server:# grep Hostkey /etc/ssh/sshd_config
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key           # rsa can have 4096 bits, or more.
# only 1024 bits: HostKey /etc/ssh/ssh_host_dsa_key      # commented, disabled dsa key
# NIST suckage:   HostKey /etc/ssh/ssh_host_ecdsa_key    # commented, disabled ecdsa key

user@client:~$ ssh -o UpdateHostKeys=True server
Warning: the ED25519 host key for 'server' differs from the key for the IP address '192.168.2.107'
Offending key for IP in /home/user/.ssh/known_hosts:9
Matching host key in /home/user/.ssh/known_hosts:10
Are you sure you want to continue connecting (yes/no)? yes
user@server's password:
Connection closed by 192.168.2.107

user@client:~$ wc -l .ssh/known_hosts
12 .ssh/known_hosts                                       # removed keys stay in known_hosts

The user only needs to confirm the change (yes), but enjoys hassle-free security.

----------------------------- Phase 4 ------------------------------------
Optionally we can re-add the removed HostKeys if necessary.
This allows to quickly replace compromised keys without delay.
-----------------------------------------------------------------------------

tldr; Final conclusion:

1. We immediately can add additional HostKeys for future use.
    All openssh-clients need to be configured to use the UpdateHostKeys option.
    Once the client successfully authenticates, it will acquire all the offered keys.

2. When enough clients have acquired the new keys, we can remove unused keys from the server.
    The removed keys optionally can be seen as spare keys for future use and later be readded.

3. You can continue to offer rsa keys for legacy clients, only openssh-client supports rotation.

Sources:
rotation: http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html
crypto: https://stribika.github.io/2015/01/04/secure-secure-shell.html

greetings
musca
     
β€žEs irrt der Mensch, solang er strebt.β€œ  (Goethe, Faust)